This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/13935] New: getaddrinfo NXDOMAIN hijack exploit for hosts with two-component hostnames
- From: "nagle at sitetruth dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Sun, 01 Apr 2012 20:15:47 +0000
- Subject: [Bug network/13935] New: getaddrinfo NXDOMAIN hijack exploit for hosts with two-component hostnames
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=13935
Bug #: 13935
Summary: getaddrinfo NXDOMAIN hijack exploit for hosts with
two-component hostnames
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: network
AssignedTo: unassigned@sourceware.org
ReportedBy: nagle@sitetruth.com
Classification: Unclassified
The default behavior of getaddrinfo results in a way to hijack failed
(NXDOMAIN) domain lookups.
The man page for resolv.conf(5) says:
domain Local domain name.
Most queries for names within this domain can use short names relative to the
local domain. If no domain entry is present, the domain is determined from the
local hostname returned by gethostname(2); the domain part is taken to be
everything after the first '.'. Finally, if the hostname does not contain a
domain part, the root domain is assumed.
Therein lies the problem. The default case is exploitable. If a server has a
domain name "companyname.com", the domain part, "everything after the first
'.'", is "com". So failed a failed lookup of "xyz.com" is retried as
"xyz.com.com".
The proprietors of "com.com" have chosen to exploit this by using a wildcard
DNS A record for "*.com.com", and redirecting the traffic thus captured to
(inevitably) an ad-heavy site. Visit "gnu.com.com", for example.
This problem is most visible when the hostname has two components, and the TLD
is ".com". Most hosting services use long generated host names, such as
"gator123.hostgator.com", and so their default base domain is "hostgator.com".
This is less exploitable. There are "net.net" and "org.org" domains, but they
are not currently capturing undefined subdomains. There may be other exploits
in the country
I suggest that the default behavior be changed. Consider defaulting "ndots" to
0, or at least don't use the default domain for searches unless it has more
than a TLD.
First reported in December 2011 at
http://serverfault.com/questions/341383/possible-nxdomain-hijacking
by a user who was puzzled that his two seemingly identical test and production
servers behaved differently. For me, it's caused a web crawler to misidentify
nonexistent domains.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.