Re: Reverse lookup issue in Net::Server

[Russ Allbery <rra () stanford edu>]

Remi Gacogne <rgacogne-bugs () coredump fr> writes:

> I think there is a security issue in the way the access control feature
> of Net::Server (http://search.cpan.org/perldoc?Net%3A%3AServer) works.
> Net::Server is used by various projects including Munin, Postgrey and
> SQLgrey.

> The issue lies in the fact that the allow / deny access control does not
> perform a valid DNS check when given a hostname parameter and the
> 'reverse_lookups' option is enabled.  The current code only checks that
> the incoming connection source IP address has a reverse DNS matching the
> given hostname, but does not check that the hostname resolves back to
> this source IP address (see how the $prop->{'peerhost'} property is set
> in get_client_info(), lib/Net/Server.pm:553, then used in allow_deny(),
> lib/Net/Server.pm:597).  As it is trivial for an attacker to be able to
> set his own source IP's reverse DNS, the current check is not safe (this
> probably matches CWE-807: Reliance on Untrusted Inputs in a Security
> Decision).

This is a very weak security measure, but yes, the need to check the
reverse DNS results with a forward DNS query to make the security check at
all useful has been well-known going all the way back to the days when TCP
wrappers was the UNIX firewalling system of choice.  I remember discussion
of this in security contexts in 1994, and I'm sure it was an old
discussion even then.

-- 
Russ Allbery (rra () stanford edu)             <http://www.eyrie.org/~eagle/>