[Emerging-Sigs] SIG - Idea and RFC for localhost.some.tld - Requests

Mex mail at mare-system.de
Tue Oct 12 08:44:48 EDT 2010

lately, using dnsmap to enumerate some client-systems i came across
an interesting vuln from one local hosting-provider; beside servers
they also provide dns-administration and access to dns-records
and if you create a new zonefile for a domain they add an entry for

localhost    IN A

that validates localhost.somedomain.tld to

this behavior might lead to nice little attacks, especially
on multiuser/terminalserver - systems, according to [1]

while these kind of attacks depending on multiuser-systems
and are a little sophisticated and will not occure
in larger scale, they are still possible. i got an ACK from
a pentesting-firm that it even might be possible to
steal https-sessions/cookies, under certain circumstances.

imo any request for localhost.somedomain.tld is either
a misconfiguration or something bad-unknown, but
should never be legit, so i think about the
following sig to detect these requests
(i must admit i've not so much experience in making
dns-sigs, so please advice me if the following sig is
bullshit; it's somewhat stolen somewhere.)

alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53
(msg:"DNS Lookup for localhost.DOMAIN.TLD"; content:"|09|localhost"; nocase;
tag: host,10,packets,src; classtype:bad-unknown; reference:url,;
sid:2619079; rev:7;)

i scripted a little tool to check for this kind of dns-records
for those who might want to play; please drop me a line and i'll send
you this script and a list to start with.

regards, mex

[1] http://seclists.org/bugtraq/2008/Jan/270

More information about the Emerging-sigs mailing list