public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "nagle at sitetruth dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sources.redhat.com Subject: [Bug network/13935] New: getaddrinfo NXDOMAIN hijack exploit for hosts with two-component hostnames Date: Sun, 01 Apr 2012 20:16:00 -0000 [thread overview] Message-ID: <bug-13935-131@http.sourceware.org/bugzilla/> (raw) http://sourceware.org/bugzilla/show_bug.cgi?id=13935 Bug #: 13935 Summary: getaddrinfo NXDOMAIN hijack exploit for hosts with two-component hostnames Product: glibc Version: unspecified Status: NEW Severity: normal Priority: P2 Component: network AssignedTo: unassigned@sourceware.org ReportedBy: nagle@sitetruth.com Classification: Unclassified The default behavior of getaddrinfo results in a way to hijack failed (NXDOMAIN) domain lookups. The man page for resolv.conf(5) says: domain Local domain name. Most queries for names within this domain can use short names relative to the local domain. If no domain entry is present, the domain is determined from the local hostname returned by gethostname(2); the domain part is taken to be everything after the first '.'. Finally, if the hostname does not contain a domain part, the root domain is assumed. Therein lies the problem. The default case is exploitable. If a server has a domain name "companyname.com", the domain part, "everything after the first '.'", is "com". So failed a failed lookup of "xyz.com" is retried as "xyz.com.com". The proprietors of "com.com" have chosen to exploit this by using a wildcard DNS A record for "*.com.com", and redirecting the traffic thus captured to (inevitably) an ad-heavy site. Visit "gnu.com.com", for example. This problem is most visible when the hostname has two components, and the TLD is ".com". Most hosting services use long generated host names, such as "gator123.hostgator.com", and so their default base domain is "hostgator.com". This is less exploitable. There are "net.net" and "org.org" domains, but they are not currently capturing undefined subdomains. There may be other exploits in the country I suggest that the default behavior be changed. Consider defaulting "ndots" to 0, or at least don't use the default domain for searches unless it has more than a TLD. First reported in December 2011 at http://serverfault.com/questions/341383/possible-nxdomain-hijacking by a user who was puzzled that his two seemingly identical test and production servers behaved differently. For me, it's caused a web crawler to misidentify nonexistent domains. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
next reply other threads:[~2012-04-01 20:16 UTC|newest] Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top 2012-04-01 20:16 nagle at sitetruth dot com [this message] 2012-04-01 21:06 ` [Bug network/13935] " nagle at sitetruth dot com 2012-04-01 22:20 ` nagle at sitetruth dot com 2012-04-02 17:35 ` ppluzhnikov at google dot com 2012-04-04 2:51 ` nagle at sitetruth dot com 2012-08-24 10:48 ` scorneli at redhat dot com 2012-08-24 16:46 ` nagle at sitetruth dot com 2012-08-24 17:31 ` law at redhat dot com 2012-11-03 17:01 ` karme at karme dot de 2013-09-12 8:35 ` berend.de.schouwer at gmail dot com 2014-02-16 19:42 ` jackie.rosen at hushmail dot com 2014-05-28 19:43 ` schwab at sourceware dot org 2014-06-25 11:24 ` fweimer at redhat dot com 2020-06-22 13:40 ` fweimer at redhat dot com 2020-06-22 13:43 ` carlos at redhat dot com 2020-06-22 13:44 ` fweimer at redhat dot com 2020-06-22 13:58 ` schwab@linux-m68k.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-13935-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sources.redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).