Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

[OT?] rDNS tomfoolery - "localhost"

  

 
SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


jhardin at impsec

Oct 8, 2008, 11:52 AM

Post #1 of 5 (174 views)
Permalink
[OT?] rDNS tomfoolery - "localhost"
All:

I've recently come across some anomalous behavior in Vista and Win2k3 when
confronted with a host's rDNS returning "localhost". It seems Vista and
Win2k3 replace this with the local hostname. To illustrate:

ping -a 123.30.74.2

(Note: this isn't new, some searching reveals a blog post about it a year
ago.)

Is this a recognized spammer tactic to try to take advantage of
poorly-implemented whitelisting?

Does anybody know if this is a known security risk? (e.g. can a webserver
with rDNS set to "localhost" bypass any IE security features?)

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin[at]impsec.org FALaholic #11174 pgpk -a jhardin[at]impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
We are now seeing the disastrous consequences of government
dictating behavior to the mortgage lending industry over the past
two decades. Why do some think government dictating behavior to
the health care industry would be any less disastrous?
-----------------------------------------------------------------------
27 days until the Presidential Election


mouss at netoyen

Oct 8, 2008, 12:39 PM

Post #2 of 5 (168 views)
Permalink
Re: [OT?] rDNS tomfoolery - "localhost" [In reply to]
John Hardin a écrit :
> All:
>
> I've recently come across some anomalous behavior in Vista and Win2k3
> when confronted with a host's rDNS returning "localhost". It seems
> Vista and Win2k3 replace this with the local hostname. To illustrate:
>
> ping -a 123.30.74.2
>
AFAIK, "-a" doesn't change how ping works. the only thing it adds is to
show the PTR. but ping will contact the IP.

> (Note: this isn't new, some searching reveals a blog post about it a
> year ago.)
>
> Is this a recognized spammer tactic to try to take advantage of
> poorly-implemented whitelisting?

if paranoia mode is on, may be. but I doubt it's the case here (setting
the PTR to updates.microsoft.com or the like may be more "effective")


Looks like a zone with a wildcard, and the PTR is set to localhost (a
default value in the tool that generated the zone?).

$ host 123.30.0.0
0.0.30.123.in-addr.arpa domain name pointer localhost.
$ host 123.31.255.255
255.255.31.123.in-addr.arpa domain name pointer localhost.


>
> Does anybody know if this is a known security risk? (e.g. can a
> webserver with rDNS set to "localhost" bypass any IE security features?)
>

While shit has happened too many times, I don't see why a browser would
do PTR lookup when given an IP.


jhardin at impsec

Oct 8, 2008, 1:16 PM

Post #3 of 5 (166 views)
Permalink
Re: [OT?] rDNS tomfoolery - "localhost" [In reply to]
On Wed, 8 Oct 2008, mouss wrote:

> John Hardin a écrit :
>
>> I've recently come across some anomalous behavior in Vista and Win2k3
>> when confronted with a host's rDNS returning "localhost". It seems
>> Vista and Win2k3 replace this with the local hostname. To illustrate:
>>
>> ping -a 123.30.74.2
>
> AFAIK, "-a" doesn't change how ping works. the only thing it adds is to
> show the PTR. but ping will contact the IP.

That's what's intended - to do a rDNS lookup and display the results using
a tool less sophisticated than dig.

Sorry I wasn't explicit with what that was to illustrate - I was intending
those on Vista or W2k3 to run that command and say "WTF?"

>> Does anybody know if this is a known security risk? (e.g. can a
>> webserver with rDNS set to "localhost" bypass any IE security features?)
>
> While shit has happened too many times, I don't see why a browser would
> do PTR lookup when given an IP.

If security settings are defined by the server's hostname or domain name
you'd kinda have to, or else say that all numeric-IP URLs are inherently
untrustworthy.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin[at]impsec.org FALaholic #11174 pgpk -a jhardin[at]impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
They didn't add pork to the bailout, they added the bailout to pork.
-- seen at saysuncle.com
-----------------------------------------------------------------------
27 days until the Presidential Election


mouss at netoyen

Oct 8, 2008, 1:52 PM

Post #4 of 5 (168 views)
Permalink
Re: [OT?] rDNS tomfoolery - "localhost" [In reply to]
John Hardin a écrit :
> On Wed, 8 Oct 2008, mouss wrote:
>
>> John Hardin a écrit :
>>
>>> I've recently come across some anomalous behavior in Vista and Win2k3
>>> when confronted with a host's rDNS returning "localhost". It seems
>>> Vista and Win2k3 replace this with the local hostname. To illustrate:
>>>
>>> ping -a 123.30.74.2
>>
>> AFAIK, "-a" doesn't change how ping works. the only thing it adds is to
>> show the PTR. but ping will contact the IP.
>
> That's what's intended - to do a rDNS lookup and display the results
> using a tool less sophisticated than dig.
>
> Sorry I wasn't explicit with what that was to illustrate - I was
> intending those on Vista or W2k3 to run that command and say "WTF?"
>
>>> Does anybody know if this is a known security risk? (e.g. can a
>>> webserver with rDNS set to "localhost" bypass any IE security
>>> features?)
>>
>> While shit has happened too many times, I don't see why a browser would
>> do PTR lookup when given an IP.
>
> If security settings are defined by the server's hostname or domain
> name you'd kinda have to, or else say that all numeric-IP URLs are
> inherently untrustworthy.

I'd speculate that the lookup is "textual" (not DNS based). so you'd
specify "http://*.google.com", "http://127.0.0.1" ... etc. but I may be
wrong.

BTW. There was a bug a long time ago when IE used to trust URLs with
dotless numeric-IPs.
http://www.microsoft.com/technet/security/Bulletin/MS01-051.mspx
so I hope the developers don't get into such traps again (but I'm
dreaming...).


kelson at speed

Oct 9, 2008, 8:34 AM

Post #5 of 5 (151 views)
Permalink
Re: [OT?] rDNS tomfoolery - "localhost" [In reply to]
John Hardin wrote:
>> While shit has happened too many times, I don't see why a browser would
>> do PTR lookup when given an IP.
>
> If security settings are defined by the server's hostname or domain name
> you'd kinda have to, or else say that all numeric-IP URLs are inherently
> untrustworthy.

In that case, though, they *should* re-check the DNS of the hostname
that's been kicked back.

123.30.74.2 -> localhost -> 127.0.0.1 = mismatch

Assuming, of course, that (a) the DNS server being used doesn't do
something stupid like assume that the PTR result is symmetric, and (b)
the client has the sense to do that verification step.

--
Kelson Vibber
SpeedGate Communications <www.speed.net>

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.