From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 26190 invoked by alias); 1 Apr 2012 20:16:02 -0000 Received: (qmail 26182 invoked by uid 22791); 1 Apr 2012 20:16:01 -0000 X-SWARE-Spam-Status: No, hits=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 X-Spam-Check-By: sourceware.org Received: from localhost (HELO sourceware.org) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sun, 01 Apr 2012 20:15:49 +0000 From: "nagle at sitetruth dot com" To: glibc-bugs@sources.redhat.com Subject: [Bug network/13935] New: getaddrinfo NXDOMAIN hijack exploit for hosts with two-component hostnames Date: Sun, 01 Apr 2012 20:16:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: network X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: nagle at sitetruth dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org X-SW-Source: 2012-04/txt/msg00003.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=13935 Bug #: 13935 Summary: getaddrinfo NXDOMAIN hijack exploit for hosts with two-component hostnames Product: glibc Version: unspecified Status: NEW Severity: normal Priority: P2 Component: network AssignedTo: unassigned@sourceware.org ReportedBy: nagle@sitetruth.com Classification: Unclassified The default behavior of getaddrinfo results in a way to hijack failed (NXDOMAIN) domain lookups. The man page for resolv.conf(5) says: domain Local domain name. Most queries for names within this domain can use short names relative to the local domain. If no domain entry is present, the domain is determined from the local hostname returned by gethostname(2); the domain part is taken to be everything after the first '.'. Finally, if the hostname does not contain a domain part, the root domain is assumed. Therein lies the problem. The default case is exploitable. If a server has a domain name "companyname.com", the domain part, "everything after the first '.'", is "com". So failed a failed lookup of "xyz.com" is retried as "xyz.com.com". The proprietors of "com.com" have chosen to exploit this by using a wildcard DNS A record for "*.com.com", and redirecting the traffic thus captured to (inevitably) an ad-heavy site. Visit "gnu.com.com", for example. This problem is most visible when the hostname has two components, and the TLD is ".com". Most hosting services use long generated host names, such as "gator123.hostgator.com", and so their default base domain is "hostgator.com". This is less exploitable. There are "net.net" and "org.org" domains, but they are not currently capturing undefined subdomains. There may be other exploits in the country I suggest that the default behavior be changed. Consider defaulting "ndots" to 0, or at least don't use the default domain for searches unless it has more than a TLD. First reported in December 2011 at http://serverfault.com/questions/341383/possible-nxdomain-hijacking by a user who was puzzled that his two seemingly identical test and production servers behaved differently. For me, it's caused a web crawler to misidentify nonexistent domains. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.