Hi,
We have noticed a problem with the way curl-lib does DNS lookups and have
confirmed it happens under c-ares.
We have done some experimenting where attempting to connect to localhost
actually results in a DNS lookup on the DNS server if localhost is not defined
in the c:\windows\system32\drivers\etc\hosts file. This used to be normal
behavior.
However, with windows 7 it looks like they have stopped including localhost
in the hosts file. Instead, their local windows dns API call automatically
detects localhost references and returns the loopback interface.
Curllib seems to be avoiding the windows API that does the lookup. Instead
doing it's own, first looking in hosts and then going out to the net.
Security issue:
This creates a potentially bad situation. It's possible for systems to
create listeners that only work on loopback. In those cases, you may have
assurances that the connection can be trusted, so you don't do the normal
authentication steps. Listening on a regular socket of course requires
authentication and such.
Conversely, when you write a local process that is supposed to _connect_ to
a process on localhost such as the one above, it assumes it's going to get
there, knows its connection will be trusted, and attempts the connection. This
process could be sending sensitive data.
In this case, the ip address of localhost is actually put in the hands of
the DNS server. As you may be aware, there have been a lot of DNS spoofing
style
attacks lately, and most people get their DNS server via DHCP, whether it be
Starbucks, a train station, or a hacker's computer generated network you may
have joined because of the friendly SSID.
I am actually using curl-lib where it's connecting to localhost, and it
broke on windows 7 for certain connections. It turns out that "localhost" is
actually defined on most DNS servers so they usually return 127.0.0.1. However,
in our case it failed so we couldn't connect to anything. That means the DNS
server could have defined localhost to an attacker system and gotten some
interesting data sent over the wire remotely that was supposed to go to the
local system.
When using curllib/c-ares, wireshark shows the localhost resolution going
out to
the network. Rebooting to erase the DNS cache and using wireshark, the other
network attaching programs such as ping, i.e., etc, all handle the resolution
locally- even with localhost commented out of the hosts file as it is by
default
in windows 7.
The fix for this issue would be to use the windows resolver. Or hard code
localhost resolution inside your code to 127.0.0.1. But beware of IPV6.
Apparently this is why MS changed the code (allegedly). Some combinations of
having IPV4/IPV6 installed caused localhost resolution to fail since they
could only have one entry in the hosts file. So they now handle it in their
resolver code. Depending on what protocol is being used, you need to return the
correct notation.
Thanks in advance for your response(s),
Greg Christopher
Received on 2011-02-16