[Bug network/13935] New: getaddrinfo NXDOMAIN hijack exploit for hosts with two-component hostnames

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "nagle at sitetruth dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
Subject: [Bug network/13935] New: getaddrinfo NXDOMAIN hijack exploit for hosts with two-component hostnames
Date: Sun, 01 Apr 2012 20:16:00 -0000	[thread overview]
Message-ID: <bug-13935-131@http.sourceware.org/bugzilla/> (raw)

http://sourceware.org/bugzilla/show_bug.cgi?id=13935

             Bug #: 13935
           Summary: getaddrinfo NXDOMAIN hijack exploit for hosts with
                    two-component hostnames
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
        AssignedTo: unassigned@sourceware.org
        ReportedBy: nagle@sitetruth.com
    Classification: Unclassified

The default behavior of getaddrinfo results in a way to hijack failed
(NXDOMAIN) domain lookups. 

The man page for resolv.conf(5) says:

domain Local domain name.

Most queries for names within this domain can use short names relative to the
local domain. If no domain entry is present, the domain is determined from the
local hostname returned by gethostname(2); the domain part is taken to be
everything after the first '.'. Finally, if the hostname does not contain a
domain part, the root domain is assumed. 

Therein lies the problem.  The default case is exploitable.  If a server has a
domain name "companyname.com", the domain part, "everything after the first
'.'", is "com".  So failed a failed lookup of "xyz.com" is retried as
"xyz.com.com".  

The proprietors of "com.com" have chosen to exploit this by using a wildcard
DNS A record for "*.com.com", and redirecting the traffic thus captured to
(inevitably) an ad-heavy site.  Visit "gnu.com.com", for example.  

This problem is most visible when the hostname has two components, and the TLD
is ".com".  Most hosting services use long generated host names, such as
"gator123.hostgator.com", and so their default base domain is "hostgator.com". 
This is less exploitable.  There are "net.net" and "org.org" domains, but they
are not currently capturing undefined subdomains.  There may be other exploits
in the country

I suggest that the default behavior be changed.  Consider defaulting "ndots" to
0, or at least don't use the default domain for searches unless it has more
than a TLD.  

First reported in December 2011 at

http://serverfault.com/questions/341383/possible-nxdomain-hijacking

by a user who was puzzled that his two seemingly identical test and production
servers behaved differently.  For me, it's caused a web crawler to misidentify
nonexistent domains.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

next             reply	other threads:[~2012-04-01 20:16 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-04-01 20:16 nagle at sitetruth dot com [this message]
2012-04-01 21:06 ` [Bug network/13935] " nagle at sitetruth dot com
2012-04-01 22:20 ` nagle at sitetruth dot com
2012-04-02 17:35 ` ppluzhnikov at google dot com
2012-04-04  2:51 ` nagle at sitetruth dot com
2012-08-24 10:48 ` scorneli at redhat dot com
2012-08-24 16:46 ` nagle at sitetruth dot com
2012-08-24 17:31 ` law at redhat dot com
2012-11-03 17:01 ` karme at karme dot de
2013-09-12  8:35 ` berend.de.schouwer at gmail dot com
2014-02-16 19:42 ` jackie.rosen at hushmail dot com
2014-05-28 19:43 ` schwab at sourceware dot org
2014-06-25 11:24 ` fweimer at redhat dot com
2020-06-22 13:40 ` fweimer at redhat dot com
2020-06-22 13:43 ` carlos at redhat dot com
2020-06-22 13:44 ` fweimer at redhat dot com
2020-06-22 13:58 ` schwab@linux-m68k.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-13935-131@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sources.redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).