krb5_sname_to_principal or LDAP/SASL/GSSAPI and reverse DNS
Derek Atkins
warlord at MIT.EDU
Tue Apr 8 18:02:34 EDT 2003
John Hascall <john at iastate.edu> writes:
> > > I would be interested in hearing more about #3 (how does
> > > hostname canonicalization == no security?)
>
> > DNS spoofing. I spoof the PTR lookup to a machine that I own.
> > I now act as a Man-in-the-middle.
>
> Ok, client 1.2.3.4 wants to connect to foo.example.com
> which is really foo-1 through foo-99 (1.2.1.1 - 99) so
> it does an A lookup on foo.example.com and gets back,
> say 1.2.1.17 which it then does a pointer lookup on
> and instead of getting back (foo-17.example.com) some
> DNS trickery occurs and it gets back drevil.example.com
> and it acquires tickets for say host/drevil.example.com
> and then connects to 1.2.1.17 and it attempts to use
> the host/drevil.example.com ticket to authenticate.
>
> This is obviously going to fail, so the attacker must
> have to do something more than just fudging the PTR
> lookup. One possibility is fudging the A lookup too.
>
> Ok, so now the client is talking to drevil when it
> thinks it is talking to one of the foo-cluster (which
> is bad enough), but how does drevil authenticate to
> foo-17 (as the user on the client) to complete the
> man-in-the-middle?
Well, it depends on the protocol in use, doesn't it? If the protocol
is a printing protocol, I can get you to print that confidential
document on my printer instead of yours. If it's a login session, I
might be able to get you to type your password into my (hacked) login
program.... Besides, who said the connection from drevil to the real
server had to be protected/authenticated?
> John
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the krbdev
mailing list