getaddrinfo NXDOMAIN exploit - please test on CentOS 6 64-bit
John Nagle
nagle at animats.com
Sat Mar 31 18:58:45 EDT 2012
Some versions of CentOS 6 seem to have a potential
getaddrinfo exploit. See
To test, try this from a command line:
ping example
If it fails, good. If it returns pings from "example.com", bad.
The getaddrinfo code is adding ".com" to the domain.
If that returns pings, please try
ping noexample.com
There is no "noexample.com" domain in DNS. This should time out.
But if you get ping replies from a CNET site, let me know.
Some implementations try "noexample.com", get a NXDOMAIN error,
and try again, adding ".com". This results in a ping of
"noexample.com,com". "com.com" is a real domain, run by a
unit of CBS, and they have their DNS set up to catch all
subdomains and divert them to, inevitably, an ad-oriented
junk search page. (You can view the junk page at
"http://slimeball.com.com". Replace "slimeball" with anything
else you like; it will still resolve.)
If you find a case where "ping noexample.com" returns a reply,
then try it in Python:
import socket
socket.getaddrinfo("noexample.com", 80)
That should return an error. If it returns the IP address of
CNET's ad server, there's trouble.
This isn't a problem with the upstream DNS. Usually, this sort
of thing means you're using some sleazy upstream DNS provider
like Comcast. That's not the case here. "host" and "nslookup"
aren't confused. Only programs that use getaddrinfo, like "ping",
"wget", and Python, have this ".com" appending thing. Incidentally,
if you try "noexample.net", there's no problem, because the
owner of "net.com" hasn't set up their DNS to exploit this.
And, of course, it has nothing to do with browser toolbars. This
is at a much lower level.
If you can make this happen, report back the CentOS version and
the library version, please.
John Nagle
More information about the Python-list
mailing list