Resolver Issues (non valid hostname characters)

Terry Lambert tlambert2 at mindspring.com
Wed Mar 26 08:48:48 PST 2003 

David J Duchscher wrote:
> On Tuesday, March 25, 2003, at 11:23  PM, Mark.Andrews at isc.org wrote:
> >       This is a security matter.  Sendmail was compromised due to
> >       lack of checking the results returned by gethostbyaddr().
> >
> >       get*by*() and get*info() enforce RFC 952 so that every
> >       application written doesn't have to validate the results
> >       returned.  Allowing underscore (or IHN) is a API change
> >       and will potentially break applications that correctly
> >       depend upon get*by*() and get*info() filtering out the
> >       garbage.
> >
> >       If you want to be liberal in what you accept bypass
> >       get*by*() and get*info() and call the resolver directly.
> 
> Let me see, this is a matter of national security so we can't talk
> about it.  This is very much a straw man argument when it comes to
> underscore.

It's not "national security", it's "computer security".  If you
allow crap in host names, code which operates on host names, and
uses globbing code which does not proactively ensure that the
characters are escaped before applying globbing rules, particularly
interpreted globbing code, becomes vulnerable to exploits.

Specifically, say I have an interpreter that interprets variables
with an underscore prefix.  By contacting my server written in this
interpreter from a host whose reverse address has been set to
include this character, you could exploit the fact that people who
call the resolver library expect strict RFC-952 conformnace in the
returned host names, and obtain escalated priviledges on my server
system.

Mark is pointing out that this is not just a theoretical possibility,
it was in fact exploited against sendmail on the systems you are
holding up as examples (but it was *not* exploited on FreeBSD,
because FreeBSD complies with RFC-952).


> Bypassing the resolver is also not an option that most
> users have available to them.

All programmers have this option, if they have the option to
use the resolver in the first place.  The API is well, if
obscurely, documented.


> This argument also implies that all the other OS mentioned have
> a security problem because they don't do this type of checking.

They do, if they are running a version of sendmail which does not
specifically provide it's own wrappers, ensuring RFC-952 conformance.

Check the CERT advisories.

Note that sendmail now wraps the calls itself, in case the host OS
is not conformant with RFC-952.  You will not be able to send or
receive email from non-compliant systems on any system running a
corrected version of sendmail that does this enforcement.


> >       If the name contains a underscore it is not a hostname by
> >       definition.  Nothing stops you talking to the DNS directly
> >       and entering IP literals.
> 
> CNAME virtual hosts.
> 
> I have mailed the patch to PR/50299 that makes it an optional behavior.
> You can also find it here:
> 
>    http://magus.nostrum.com/~daved/resolver_patch.txt

I have no objection, in principle, to such a patch, as long as
it's not enabled by the default configuration distributed with
the system.

HOWEVER, this particular patch is not sufficient to put the
argument to rest.

This should probably not be "allow_underscore" in the resolv.conf.

Instead, you should probably have:

	allow_chars "_"

You will also need an escape charachter, which is usually "\",
for specifying things like the escape character, special characters,
and quotation marks, e.g.:

	allow_chars "_\\\010\x17\""

Since the systems you are talking about are broken vs. RFC-952 for
more than just underscore.

Otherwise, next week, we are going to have people asking us to
allow the next character not in RFC-952, and there will be a
proliferation of these options.

-- Terry

More information about the freebsd-stable mailing list