[Emerging-Sigs] SIG - Idea and RFC for localhost.some.tld - Requests

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 12 18:26:53 EDT 2010


Worth a try, putting it into policy.

Thanks mex!

MAtt

On Oct 12, 2010, at 8:44 AM, Mex wrote:

> 
> lately, using dnsmap to enumerate some client-systems i came across
> an interesting vuln from one local hosting-provider; beside servers
> they also provide dns-administration and access to dns-records
> and if you create a new zonefile for a domain they add an entry for
> 
> localhost    IN A 127.0.0.1
> 
> that validates localhost.somedomain.tld to 127.0.0.1
> 
> this behavior might lead to nice little attacks, especially
> on multiuser/terminalserver - systems, according to [1]
> 
> while these kind of attacks depending on multiuser-systems
> and are a little sophisticated and will not occure
> in larger scale, they are still possible. i got an ACK from
> a pentesting-firm that it even might be possible to
> steal https-sessions/cookies, under certain circumstances.
> 
> imo any request for localhost.somedomain.tld is either
> a misconfiguration or something bad-unknown, but
> should never be legit, so i think about the
> following sig to detect these requests
> (i must admit i've not so much experience in making
> dns-sigs, so please advice me if the following sig is
> bullshit; it's somewhat stolen somewhere.)
> 
> 
> alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53
> (msg:"DNS Lookup for localhost.DOMAIN.TLD"; content:"|09|localhost"; nocase;
> tag: host,10,packets,src; classtype:bad-unknown; reference:url,;
> sid:2619079; rev:7;)
> 
> 
> 
> i scripted a little tool to check for this kind of dns-records
> for those who might want to play; please drop me a line and i'll send
> you this script and a list to start with.
> 
> 
> 
> regards, mex
> 
> 
> 
> [1] http://seclists.org/bugtraq/2008/Jan/270
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list