On Jun 2, 1999, Dag-Erling Smorgrav <desat_private> wrote: > bobk <bobkat_private> writes: >> Imagine what could happen if some program did a strcmp() on the following >> name: >> rs.internic.net\0.xa.net >> where, of course, \0 is a null >> Interested readers may ponder what type of programs may be exploited with >> this type of attack. > Any .rhosts consumer. Xhost. Amanda (.amandahosts). Lpd (lpd.allow). > What did I win? :-) Not Amanda. After reverse mapping the incoming IP address to a hostname, it will lookup the IP addresses for the hostname and make sure the incoming IP address is one of the IP addresses listed for that name, so only DNS spoofing or a lame DNS cache would get Amanda in trouble. It is true that it will also check whether the canonical name obtained for the direct mapping is the same that it got in reverse mapping, and it uses strncasecmp here, which means it might miss a difference in case `\0' is part of the name, but I don't think this is a critical check; only the IP checking is. -- Alexandre Oliva http://www.dcc.unicamp.br/~oliva IC-Unicamp, Bra[sz]il {oliva,Alexandre.Oliva}@dcc.unicamp.br aoliva@{acm.org,computer.org} oliva@{gnu.org,kaffe.org,{egcs,sourceware}.cygnus.com,samba.org} *** E-mail about software projects will be forwarded to mailing lists
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:10 PDT