oss-sec mailing list archives
Reverse lookup issue in Net::Server
From: Remi Gacogne <rgacogne-bugs () coredump fr>
Date: Mon, 4 Mar 2013 20:31:14 +0100 (CET)
Hi, I think there is a security issue in the way the access control feature of Net::Server (http://search.cpan.org/perldoc?Net%3A%3AServer) works.Net::Server is used by various projects including Munin, Postgrey and SQLgrey.
The issue lies in the fact that the allow / deny access control does not perform a valid DNS check when given a hostname parameter and the 'reverse_lookups' option is enabled. The current code only checks that the incoming connection source IP address has a reverse DNS matching the given hostname, but does not check that the hostname resolves back to this source IP address (see how the $prop->{'peerhost'} property is set in get_client_info(), lib/Net/Server.pm:553, then used in allow_deny(), lib/Net/Server.pm:597). As it is trivial for an attacker to be able to set his own source IP's reverse DNS, the current check is not safe (this probably matches CWE-807: Reliance on Untrusted Inputs in a Security Decision). I think that the valid way would be to do the same checks as Apache HTTPd does for the Allow / Deny directives (see do_double_reverse() and ap_get_remote_host() in server/core.c for more information): "It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed." At the very least, the documentation of Net:Server should be updated to specify exactly what is checked by Net:Server access control, as manypeople seem to assume that the check is done in the same way as in Apache HTTPd.
So far, I have been unable to reach the Net-Server maintener to discuss this matter.
-- Regards, Remi Gacogne
Current thread:
- Reverse lookup issue in Net::Server Remi Gacogne (Mar 04)
- Re: Reverse lookup issue in Net::Server Russ Allbery (Mar 04)
- Re: Reverse lookup issue in Net::Server Kurt Seifried (Mar 11)
- Re: Reverse lookup issue in Net::Server Steven M. Christey (Mar 13)
- Re: Reverse lookup issue in Net::Server Salvatore Bonaccorso (Mar 13)
- Re: Reverse lookup issue in Net::Server Kurt Seifried (Mar 13)
- Re: Reverse lookup issue in Net::Server Kurt Seifried (Mar 11)
- Re: Reverse lookup issue in Net::Server Russ Allbery (Mar 04)