From jonny@mailhost.coppe.ufrj.br  Mon Aug 11 20:04:52 1997
Received: from gaia.coppe.ufrj.br (jonny@[146.164.5.200])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA21464
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 11 Aug 1997 20:04:51 -0700 (PDT)
Received: (from jonny@localhost)
	by gaia.coppe.ufrj.br (8.8.6/8.8.6) id AAA20896;
	Tue, 12 Aug 1997 00:04:41 -0300 (EST)
Message-Id: <199708120304.AAA20896@gaia.coppe.ufrj.br>
Date: Tue, 12 Aug 1997 00:04:41 -0300 (EST)
From: Joao Carlos Mendes Luis <jonny@mailhost.coppe.ufrj.br>
Reply-To: jonny@mailhost.coppe.ufrj.br
To: FreeBSD-gnats-submit@freebsd.org
Subject: DNS security problems
X-Send-Pr-Version: 3.2

>Number:         4276
>Category:       bin
>Synopsis:       Security problem with DNS resolution
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 11 20:10:02 PDT 1997
>Closed-Date:    Wed Jul 29 06:42:38 PDT 1998
>Last-Modified:  Wed Jul 29 06:45:31 PDT 1998
>Originator:     Joao Carlos Mendes Luis
>Release:        FreeBSD 2.2-STABLE i386
>Organization:
COPPE/UFRJ
>Environment:

2.2-STABLE from around 97.07.23.

2.2-RELENG from 97.06.28 does not show this behaviour.

>Description:

who and last report "invalid hostname" when the DNS reverse name of
the origin host is invalid.  This has serious security issues.  The
correct approach would be to report the IP Address.

>How-To-Repeat:

1) Pick a host to serve as a origin to telnet or rlogin.
2) Point it's DNS reverse name to something inexistent.
   Note: Must be an inexistent or invalid direct DNS address.
3) telnet or rlogin to the 2.2 box

And presto:

gaia::jonny [502] who
jonny    ttyp2   Aug  8 15:37   (146.164.63.6:S.0)
jonny    ttyp3   Aug 11 14:03   (146.164.63.6:S.2)
jonny    ttyp4   Aug 11 14:23   (146.164.63.6:S.3)
jonny    ttyp5   Aug 11 16:39   (146.164.63.6:S.4)
jonny    ttyp7   Aug 11 23:57   (invalid hostname)

>Fix:
	
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: thepish 
State-Changed-When: Wed Jul 29 06:42:38 PDT 1998 
State-Changed-Why:  
Neither telnetd or rlogind produce the reported fault in 2.2.7. 
Examining their source, both do precisely what submitter suggests 
ie if gethostbyaddr returns a NULL, the IP address is strncpy-ed into the 
ut_host field (consistent with the behaviour I see when I try it). Examination 
of the cvs log (and brief examination of committed versions) around the 
time of the report did not reveal exactly where the bug was active. I think 
the window must have been brief. 
>Unformatted:
