This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 90463 - nscd uses cached reverse lookups for later forward lookups
nscd uses cached reverse lookups for later forward lookups
Product: Red Hat Linux
Classification: Retired
Component: nscd (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-05-08 12:41 EDT by Norbert Warmuth
Modified: 2007-04-18 12:53 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-12-12 03:59:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Example session 1 (1.00 KB, text/plain)
2003-05-08 12:48 EDT, Norbert Warmuth
no flags Details
Example session 2 (1.34 KB, text/plain)
2003-05-08 12:51 EDT, Norbert Warmuth
no flags Details
nscd configuration file (1.13 KB, text/plain)
2003-05-08 12:53 EDT, Norbert Warmuth
no flags Details
nsswitch.conf (1.70 KB, text/plain)
2003-05-08 12:59 EDT, Norbert Warmuth
no flags Details
/etc/hots (44 bytes, text/plain)
2003-05-08 12:59 EDT, Norbert Warmuth
no flags Details

  None (edit)
Description Norbert Warmuth 2003-05-08 12:41:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030314

Description of problem:
nscd uses the result of GETHOSTBYADDR requests to answer later GETHOSTBYNAME

An attacker might poison the nscd cache and redirect IP traffic.

See the attachments for a sample session and configuration files.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. setup nameserver with a PTR RR resolving to "localhost."
2. connect to the victim host using the IP of the PTR RR
3. now the victim's nscd cache is poinsoned and traffic to the hostname
localhost will we directed to the attacher's IP


Additional info:
Comment 1 Norbert Warmuth 2003-05-08 12:48:26 EDT
Created attachment 91562 [details]
Example session 1
Comment 2 Norbert Warmuth 2003-05-08 12:51:25 EDT
Created attachment 91563 [details]
Example session 2
Comment 3 Norbert Warmuth 2003-05-08 12:53:24 EDT
Created attachment 91564 [details]
nscd configuration file
Comment 4 Norbert Warmuth 2003-05-08 12:59:00 EDT
Created attachment 91565 [details]
Comment 5 Norbert Warmuth 2003-05-08 12:59:31 EDT
Created attachment 91566 [details]
Comment 6 Ulrich Drepper 2003-06-04 01:51:11 EDT
This shouldn't be a problem anymore in RHL9.  Please try it.
Comment 7 Norbert Warmuth 2003-06-04 12:24:13 EDT
Verified -- RHL9 (all updates installed) does not exhibit this problem. 

Note You need to log in before you can comment on or make changes to this bug.