oss-sec mailing list archives
Re: Reverse lookup issue in Net::Server
From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 13 Mar 2013 21:56:44 +0100
Hi On Mon, Mar 11, 2013 at 08:42:44PM -0600, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/04/2013 12:36 PM, Russ Allbery wrote:Remi Gacogne <rgacogne-bugs () coredump fr> writes:I think there is a security issue in the way the access control feature of Net::Server (http://search.cpan.org/perldoc?Net%3A%3AServer) works. Net::Server is used by various projects including Munin, Postgrey and SQLgrey.The issue lies in the fact that the allow / deny access control does not perform a valid DNS check when given a hostname parameter and the 'reverse_lookups' option is enabled. The current code only checks that the incoming connection source IP address has a reverse DNS matching the given hostname, but does not check that the hostname resolves back to this source IP address (see how the $prop->{'peerhost'} property is set in get_client_info(), lib/Net/Server.pm:553, then used in allow_deny(), lib/Net/Server.pm:597). As it is trivial for an attacker to be able to set his own source IP's reverse DNS, the current check is not safe (this probably matches CWE-807: Reliance on Untrusted Inputs in a Security Decision).This is a very weak security measure, but yes, the need to check the reverse DNS results with a forward DNS query to make the security check at all useful has been well-known going all the way back to the days when TCP wrappers was the UNIX firewalling system of choice. I remember discussion of this in security contexts in 1994, and I'm sure it was an old discussion even then.Yup. Please use CVE-2013-1841 for this issue.
Thank you Kurt for assinging the CVE. Upstream already answered on this on the request tracker[1] and Paul mentions they will add an option to do the forward lookup. [1]: https://rt.cpan.org/Ticket/Display.html?id=83909 Regards, Salvatore
Current thread:
- Reverse lookup issue in Net::Server Remi Gacogne (Mar 04)
- Re: Reverse lookup issue in Net::Server Russ Allbery (Mar 04)
- Re: Reverse lookup issue in Net::Server Kurt Seifried (Mar 11)
- Re: Reverse lookup issue in Net::Server Steven M. Christey (Mar 13)
- Re: Reverse lookup issue in Net::Server Salvatore Bonaccorso (Mar 13)
- Re: Reverse lookup issue in Net::Server Kurt Seifried (Mar 13)
- Re: Reverse lookup issue in Net::Server Kurt Seifried (Mar 11)
- Re: Reverse lookup issue in Net::Server Russ Allbery (Mar 04)