Re: Security bug: querying the nameserver for your own ip address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 13 Nov 2006, Mikulas Patocka wrote:
I am running xfree86 on configuration with only tcp/ip (no unix domain sockets) and I discovered a really weird behaviour:
When standard ":0.0" display is passed to an application, Xlib calls gethostname() to determine my own host name, then queries the nameserver for that name and connects to that IP address --- it opens pretty bad security hole: anyone on LAN can spoof nameserver responses and mess with applications that are supposed to run locally. Why doesn't it use 127.0.0.1 that is designed for this purpose?
So far, I fixed it with this patch (it needs to have IPv6 support added if you want to commit it). 


Mikulas



diff -u -r ../../X/XC/LIB/XTRANS/XTRANSSOCK.C ./XTRANS/XTRANSSOCK.C
--- ../../X/XC/LIB/XTRANS/XTRANSSOCK.C  2006-03-01 23:01:55.000000000 +0200
+++ ./XTRANS/XTRANSSOCK.C       2006-11-13 06:52:44.000000000 +0200
@@ -1408,12 +1408,13 @@

    PRMSG (2,"SocketINETConnect(%d,%s,%s)\n", ciptr->fd, host, port);

+    hostnamebuf[0] = '\0';
+    (void) TRANS(GetHostname) (hostnamebuf, sizeof hostnamebuf);
    if (!host)
    {
-       hostnamebuf[0] = '\0';
-       (void) TRANS(GetHostname) (hostnamebuf, sizeof hostnamebuf);
       host = hostnamebuf;
    }
+    if (!strcasecmp(host, hostnamebuf)) host = "127.0.0.1";

#ifdef X11_t
    /*
I don't particularly agree with this change. If a system cannot trust its own hostname, spoofing an X connection would be the least of your worries. Besides, you can accomplish the same thing by including the hostname in /etc/hosts and configuring your name resolutions to look at files first.
Also, this change doesn't really fix the problem, even if name resolution is compromised. 

Marc.

+----------------------------------+----------------------------------+
|  Marc Aurele La France           |  work:   1-780-492-9310          |
|  Academic Information and        |  fax:    1-780-492-1729          |
|    Communications Technologies   |  email:  tsi@xxxxxxxxxxx         |
|  352 General Services Building   +----------------------------------+
|  University of Alberta           |                                  |
|  Edmonton, Alberta               |    Standard disclaimers apply    |
|  T6G 2H1                         |                                  |
|  CANADA                          |                                  |
+----------------------------------+----------------------------------+
XFree86 developer and VP.  ATI driver and X server internals.
_______________________________________________
Devel mailing list
Devel@xxxxxxxxxxx
http://XFree86.Org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [X Forum]     [XFree86]     [XFree86 Newbie]     [X.Org]     [IETF Annouce]     [Security]     [Fontconfig]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]

  Powered by Linux