90463 – nscd uses cached reverse lookups for later forward lookups

Bug 90463 - nscd uses cached reverse lookups for later forward lookups

Summary: nscd uses cached reverse lookups for later forward lookups

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	nscd
Sub Component:
Version:	7.3
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-05-08 16:41 UTC by Norbert Warmuth
Modified:	2007-04-18 16:53 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2003-12-12 08:59:32 UTC
Embargoed:

Attachments	(Terms of Use)
Example session 1 (1.00 KB, text/plain) 2003-05-08 16:48 UTC, Norbert Warmuth	no flags	Details
Example session 2 (1.34 KB, text/plain) 2003-05-08 16:51 UTC, Norbert Warmuth	no flags	Details
nscd configuration file (1.13 KB, text/plain) 2003-05-08 16:53 UTC, Norbert Warmuth	no flags	Details
nsswitch.conf (1.70 KB, text/plain) 2003-05-08 16:59 UTC, Norbert Warmuth	no flags	Details
/etc/hots (44 bytes, text/plain) 2003-05-08 16:59 UTC, Norbert Warmuth	no flags	Details
View All

Description Norbert Warmuth 2003-05-08 16:41:41 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030314

Description of problem:
nscd uses the result of GETHOSTBYADDR requests to answer later GETHOSTBYNAME
requests. 

An attacker might poison the nscd cache and redirect IP traffic.

See the attachments for a sample session and configuration files.


Version-Release number of selected component (if applicable):
nscd-2.2.5-43

How reproducible:
Always

Steps to Reproduce:
1. setup nameserver with a PTR RR resolving to "localhost."
2. connect to the victim host using the IP of the PTR RR
3. now the victim's nscd cache is poinsoned and traffic to the hostname
localhost will we directed to the attacher's IP


    

Additional info:

Comment 1 Norbert Warmuth 2003-05-08 16:48:26 UTC

Created attachment 91562 [details]
Example session 1

Comment 2 Norbert Warmuth 2003-05-08 16:51:25 UTC

Created attachment 91563 [details]
Example session 2

Comment 3 Norbert Warmuth 2003-05-08 16:53:24 UTC

Created attachment 91564 [details]
nscd configuration file

Comment 4 Norbert Warmuth 2003-05-08 16:59:00 UTC

Created attachment 91565 [details]
nsswitch.conf

Comment 5 Norbert Warmuth 2003-05-08 16:59:31 UTC

Created attachment 91566 [details]
/etc/hots

Comment 6 Ulrich Drepper 2003-06-04 05:51:11 UTC

This shouldn't be a problem anymore in RHL9.  Please try it.

Comment 7 Norbert Warmuth 2003-06-04 16:24:13 UTC

Verified -- RHL9 (all updates installed) does not exhibit this problem.

Note You need to log in before you can comment on or make changes to this bug.