Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 Mar 2013 20:31:14 +0100 (CET)
From: Remi Gacogne <rgacogne-bugs@...edump.fr>
To: oss-security@...ts.openwall.com
Subject: Reverse lookup issue in Net::Server


Hi,

I think there is a security issue in the way the access control feature
of Net::Server (http://search.cpan.org/perldoc?Net%3A%3AServer) works.
Net::Server is used by various projects including Munin, Postgrey and 
SQLgrey.

The issue lies in the fact that the allow / deny access control
does not perform a valid DNS check when given a hostname parameter
and the 'reverse_lookups' option is enabled.
The current code only checks that the incoming connection source IP
address has a reverse DNS matching the given hostname, but does not
check that the hostname resolves back to this source IP address (see
how the $prop->{'peerhost'} property is set in get_client_info(),
lib/Net/Server.pm:553, then used in allow_deny(), lib/Net/Server.pm:597).
As it is trivial for an attacker to be able to set his own
source IP's reverse DNS, the current check is not safe (this probably
matches CWE-807: Reliance on Untrusted Inputs in a Security Decision).

I think that the valid way would be to do the same checks as
Apache HTTPd does for the Allow / Deny directives (see do_double_reverse()
and ap_get_remote_host() in server/core.c for more information):
"It will do a reverse DNS lookup on the IP address to find the
associated hostname, and then do a forward lookup on the hostname
to assure that it matches the original IP address.
Only if the forward and reverse DNS are consistent and the hostname
matches will access be allowed."

At the very least, the documentation of Net:Server should be updated to
specify exactly what is checked by Net:Server access control, as many
people seem to assume that the check is done in the same way as in Apache 
HTTPd.

So far, I have been unable to reach the Net-Server maintener to discuss 
this matter.

--
Regards,

Remi Gacogne

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ