[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-inetutils] [PATCH] vulnerable hostname canonicalization
|
From: |
Simon Josefsson |
|
Subject: |
[bug-inetutils] [PATCH] vulnerable hostname canonicalization |
|
Date: |
Sat, 08 Feb 2003 16:41:31 +0100 |
|
User-agent: |
Gnus/5.090015 (Oort Gnus v0.15) Emacs/21.3.50 (i686-pc-linux-gnu) |
I hope this is correct. I only reviewed it for kerberos, but it might
apply to other authentication mechanisms that use the hostname too.
2003-02-08 Simon Josefsson <address@hidden>
* commands.c (tn): Don't set hostname to DNS canonicalized value.
Attackers may control DNS and fool the Kerberos authentication
code to use the wrong realm for the server, and consequently the
wrong KDC for the server, which the attackers could also control.
Ultimately the attacker can fool the server authentication check
in the client.
Index: telnet/commands.c
===================================================================
RCS file: /cvsroot/inetutils/inetutils/telnet/commands.c,v
retrieving revision 1.15
diff -u -p -r1.15 commands.c
--- telnet/commands.c 14 May 2002 15:13:56 -0000 1.15
+++ telnet/commands.c 8 Feb 2003 15:35:59 -0000
@@ -1,4 +1,5 @@
/*
+ * Copyright (c) 2003 Free Software Foundation, Inc.
* Copyright (c) 1988, 1990, 1993
* The Regents of the University of California. All rights reserved.
*
@@ -2320,9 +2321,9 @@ tn(int argc, char *argv[])
if (_hostname)
free (_hostname);
- _hostname = malloc (strlen (host->h_name) + 1);
+ _hostname = malloc (strlen (hostp) + 1);
if (_hostname) {
- strcpy (_hostname, host->h_name);
+ strcpy (_hostname, hostp);
hostname = _hostname;
} else {
printf ("Can't allocate memory to copy hostname\n");
- [bug-inetutils] [PATCH] vulnerable hostname canonicalization,
Simon Josefsson <=