Subject: Re: localhost security hole
To: NetBSD security list <>
From: Alan Barrett <>
List: tech-security
Date: 06/28/2003 16:18:46
On Sat, 28 Jun 2003, William Allen Simpson wrote:
> Having proved beyond all shadow of a doubt that sending mail to 
> root@localhost leaves a security leak a mile wide, what should be done?
> The zone administrator (or DNS spoofer) can redirect all root mail, by 
> adding a zone entry "localhost.dom.ain." that points to some other 
> place than  Is this considered a feature?

I can confirm that this flaw exists, and I think it's a bug in sendmail,
or sendmail's default configuration on NetBSD.  Applications like ping,
telnet and ssh do not exhibit the problem.

How to repeat:

  1. Configure a machine with hostname, running
     sendmail and smmsp.
  2. Make an authoritative nameserver for
  3. In the DNS zone, add " A"
  4. In /etc/resolv.conf on, place "search"
     and "nameserver".
  5. Run tcpdump to capture all traffic to (including ARP requests).
  6. ping localhost.  Observe that it pings, and does not attempt
     to contact
  7. Similarly, try "ssh localhost" and "telnet localhost".  They attempt
     to connect to and/or IPv6 ::1.
  8. echo test | mail root@localhost
     Observe that something (presumably sendmail) tries to connect to

> I proposed PR install/21999, to modify the /etc/hosts file to include 
> "localhost.dom.ain", right next to the "host.dom.ain host" line.
> So far, most commentators oppose this change.
> Alternatives?

The default tries to handle "localhost" as a special case.
It seems to be getting it wrong somehow.  I think we should find out why
and fix it.

We should also check whether postfix has a similar problem.

--apb (Alan Barrett)