IPv6 |
fec0::2 (www.redhat.com.2.getaddrinfo.bieringer.de)Security impact: if application prefers IPv6 connect, it tries to connect to the wrong hostname, used e.g. for man-in-the-middle attacks
209.132.177.50 (www.redhat.com)
Operating System |
Version |
Unexpected use of search domains
(1) |
Unexpected connect to address
returned by unexpected use of search domain (2) |
Comments |
---|---|---|---|---|
FreeBSD |
6.1 |
no |
n/a,
because no unexpected use was seen at all |
|
Linux (using glibc) |
Fedora Core 5 |
yes |
yes |
|
Microsoft Windows |
XP SP2 |
yes |
no |
|
Sun Solaris |
10 U2 |
yes |
yes |
# ping www.bieringer.de
# ping6 www.ipv6.bieringer.de
> ping www.bieringer.de
> ping6 www.ipv6.bieringer.de
# ping www.bieringer.de # ping www.ipv6.bieringer.de
# dig +short any test.2.getaddrinfo.bieringer.de
fec0::2
"*.2.getaddrinfo.bieringer.de has AAAA and a TXT record"
# dig +short any test.3.getaddrinfo.bieringer.de
127.0.0.3
"*.3.getaddrinfo.bieringer.de has A and a TXT record"
# dig +short any test.2g.getaddrinfo.bieringer.de
2001:db8::2
"*.2g.getaddrinfo.bieringer.de has AAAA and a TXT record"
>nslookup -q=any test.2.getaddrinfo.bieringer.de.
Server: router
Address: 192.0.2.1
Nicht autorisierte Antwort:
test.2.getaddrinfo.bieringer.de AAAA IPv6 address = fec0::2
test.2.getaddrinfo.bieringer.de text =
"*.2.getaddrinfo.bieringer.de has AAAA and a TXT record"
getaddrinfo.bieringer.de nameserver = ns.bieringer.de
ns.bieringer.de internet address = 212.18.21.188
ns.bieringer.de AAAA IPv6 address = 2001:a60:9002:1::188:1
>nslookup -q=any test.2g.getaddrinfo.bieringer.de.
Server: linksys192.lan
Address: 192.0.2.1
Nicht autorisierte Antwort:
test.2g.getaddrinfo.bieringer.de AAAA IPv6 address = 2001:db8::2
getaddrinfo.bieringer.de nameserver = ns.bieringer.de
ns.bieringer.de internet address = 212.18.21.188
ns.bieringer.de AAAA IPv6 address = 2001:a60:9002:1::188:1
>nslookup -q=any test.3.getaddrinfo.bieringer.de.
Server: linksys192.lan
Address: 192.0.2.1
Nicht autorisierte Antwort:
test.3.getaddrinfo.bieringer.de internet address = 127.0.0.3
test.3.getaddrinfo.bieringer.de text =
"*.3.getaddrinfo.bieringer.de has A and a TXT record"
getaddrinfo.bieringer.de nameserver = ns.bieringer.de
ns.bieringer.de internet address = 212.18.21.188
ns.bieringer.de AAAA IPv6 address = 2001:a60:9002:1::188:1
# cat /etc/resolv.conf
nameserver 192.0.2.1
search 2.getaddrinfo.bieringer.de 3.getaddrinfo.bieringer.de
2g.getaddrinfo.bieringer.de
3.getaddrinfo.bieringer.de
# ip addr add fec0::2/64 dev eth0
# ifconfig lnc0 inet6 fec0::2/64
# ifconfig vmxnet0 inet6 addif fec0::2/64 up
# telnet www.redhat.com 80
# telnet www.bieringer.de 80
freebsd# uname -a
FreeBSD freebsd 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:32:43 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
# telnet www.redhat.com 80
Trying 209.132.177.50... OK
Connected to www.redhat.com.
Escape character is '^]'.
# telnet www.bieringer.de 80
Trying 2001:a60:9002:1::186:3... OK
Connected to www.bieringer.hosting.aerasec.de.
Escape character is '^]'.
14:22:58.321637 IP 192.0.2.247.54510 > 192.0.2.1.domain: 34720+ A? www.redhat.com. (32) OK
14:22:58.378958 IP 192.0.2.1.domain > 192.0.2.247.54510: 34720 1/3/3 A 209.132.177.50 (150)
14:22:58.379770 IP 192.0.2.247.64705 > 192.0.2.1.domain: 34721+ AAAA? www.redhat.com. (32) OK
14:22:58.381385 IP 192.0.2.1.domain > 192.0.2.247.64705: 34721 0/0/0 (32)
14:24:52.323505 IP 192.0.2.247.56440 > 192.0.2.1.domain: 31319+ A? www.bieringer.de. (34) OK
14:24:52.368232 IP 192.0.2.1.domain > 192.0.2.247.56440: 31319 2/2/3 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (203)
14:24:52.369093 IP 192.0.2.247.64067 > 192.0.2.1.domain: 31320+ AAAA? www.bieringer.de. (34) OK
14:24:52.415152 IP 192.0.2.1.domain > 192.0.2.247.64067: 31320 2/2/3 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (215)
# uname -a
Linux linux-fedoracore-5 2.6.17-1.2174_FC5 #1 Tue Aug 8 15:30:55 EDT 2006 i686 athlon i386 GNU/Linux
# telnet www.redhat.com 80
Trying fec0::2...
telnet: connect to address fec0::2: Connection refused Unexpected, dangerous
Trying 209.132.177.50... OK
Connected to www.redhat.com.
# telnet www.bieringer.de 80
Trying 2001:a60:9002:1::186:3... OK
Connected to www.bieringer.de.
Escape character is '^]'.
14:13:43.423021 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 62386+ AAAA? www.redhat.com. (32) OK
14:13:43.478981 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 62386 0/1/0 (76)
14:13:43.479385 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 28035+ AAAA? www.redhat.com.2.getaddrinfo.bieringer.de. (59) Unexpected and not needed at all
14:13:43.480718 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 28035 1/0/0 AAAA fec0::2 (87)
14:13:43.481164 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 38827+ A? www.redhat.com. (32) OK
14:13:43.538489 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 38827 1/3/3 A 209.132.177.50 (150)
14:26:10.295730 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 65370+ AAAA? www.bieringer.de. (34) OK
14:26:10.297302 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 65370 2/0/0 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (108)
14:26:10.297719 IP 192.0.2.2.filenet-pa > 192.0.2.1.domain: 62122+ A? www.bieringer.de. (34) OK
14:26:10.299189 IP 192.0.2.1.domain > 192.0.2.2.filenet-pa: 62122 2/0/0 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (96)
> telnet www.redhat.com 80
> telnet www.bieringer.de 80
15:11:50.978326 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 57811+ AAAA? www.redhat.com. (32) OK
15:11:51.040163 IP 192.0.2.1.domain > 192.0.2.167.iad1: 57811 0/1/0 (76)
15:11:51.041039 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 32468+ AAAA? www.redhat.com.2g.getaddrinfo.bieringer.de. (60) Unexpected and not needed at all
15:11:51.086047 IP 192.0.2.1.domain > 192.0.2.167.iad1: 32468 1/1/2 AAAA 2001:db8::2 (149)
15:11:51.089207 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 2006+ A? www.redhat.com. (32) OK
15:11:51.147964 IP 192.0.2.1.domain > 192.0.2.167.iad1: 2006 1/3/3 A 209.132.177.50 (150)
15:11:51.228869 IP 192.0.2.167.ardus-mtrns > 192.0.2.1.domain: 1+ PTR? 50.177.132.209.in-addr.arpa. (45)
15:11:51.228886 IP 192.0.2.167.ardus-mtrns > 192.0.2.1.domain: 1+ PTR? 50.177.132.209.in-addr.arpa. (45)
15:11:51.295876 IP 192.0.2.1.domain > 192.0.2.167.ardus-mtrns: 1 1/3/3 PTR www.redhat.com. (175)
15:11:53.231724 IP 192.0.2.167.ardus-cntl > 209.132.177.50.http: S 2241857364:2241857364(0) win 64240 <mss 1460,nop,nop,sackOK>
14:53:42.458714 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 44822+ AAAA? www.bieringer.de. (34) OK
14:53:42.460346 IP 192.0.2.1.domain > 192.0.2.167.iad1: 44822 2/0/0 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (108)
14:53:42.463487 IP 192.0.2.167.iad1 > 192.0.2.1.domain: 9749+ A? www.bieringer.de. (34) OK
14:53:42.535330 IP 192.0.2.1.domain > 192.0.2.167.iad1: 9749 2/2/3 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (203)
14:53:42.538728 IP6 2001:db8:1:1:e4bc:322a:a601:2345.1027 > 2001:a60:9002:1::186:3.http: S 2374075490:2374075490(0) win 16384 <mss 1432>
# uname -a
SunOS solaris10 5.10 Generic_118855-14 i86pc i386 i86pc
# telnet www.redhat.com 80
Trying fec0::2...
telnet: connect to address fec0::2: Connection refused Unexpected, dangerous
Trying 209.132.177.50... OK
Connected to www.redhat.com.
Escape character is '^]'.
# telnet www.bieringer.de 80
Trying 2001:a60:9002:1::186:3... OK
Connected to www.bieringer.hosting.aerasec.de.
Escape character is '^]'.
18:13:18.683051 IP 192.0.2.235.32833 > 192.0.2.1.domain: 57476+ AAAA? www.redhat.com. (32) OK
18:13:19.121853 IP 192.0.2.1.domain > 192.0.2.235.32833: 57476 0/1/0 (76)
18:13:19.123030 IP 192.0.2.235.32834 > 192.0.2.1.domain: 57477+ AAAA? www.redhat.com.2.getaddrinfo.bieringer.de. (59) Unexpected and not needed at all
18:13:19.124519 IP 192.0.2.1.domain > 192.0.2.235.32834: 57477 1/0/0 AAAA fec0::2 (87)
18:13:19.125859 IP 192.0.2.235.32835 > 192.0.2.1.domain: 57478+ A? www.redhat.com. (32) OK
18:13:19.182860 IP 192.0.2.1.domain > 192.0.2.235.32835: 57478 1/3/3 A 209.132.177.50 (150)
18:13:19.189621 IP 192.0.2.235.32846 > 209.132.177.50.http: S 371870147:371870147(0) win 49640 <mss 1460,nop,wscale 0,nop,nop,sackOK>
18:51:50.705531 IP 192.0.2.235.32815 > 192.0.2.1.domain: 21181+ AAAA? www.bieringer.de. (34) OK
18:51:50.751282 IP 192.0.2.1.domain > 192.0.2.235.32815: 21181 2/2/1 CNAME www.bieringer.hosting.aerasec.de., AAAA 2001:a60:9002:1::186:3 (171) OK
18:51:50.755295 IP 192.0.2.235.32816 > 192.0.2.1.domain: 21182+ A? www.bieringer.de. (34) OK
18:51:50.756998 IP 192.0.2.1.domain > 192.0.2.235.32816: 21182 2/0/0 CNAME www.bieringer.hosting.aerasec.de., A 212.18.21.186 (96)
18:51:50.769879 IP6 2001:db8:1:1:20c:29ff:fe01:2345.32798 > 2001:a60:9002:1::186:3.http: S 932233757:932233757(0) win 50120 <mss 1432,nop,wscale 0,nop,nop,sackOK>
Your connection is via:
IPv4
Your address: 18.97.14.89 |
www.bieringer.de is maintained by webmaster at bieringer dot de (Impressum) |
![]() |
![]() |