Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[AFRINIC-rpd] whois.afrinic.net leaks passwords

Guy Antony Halse G.halse at ru.ac.za
Wed Nov 21 07:53:15 UTC 2012 

Hi

I'm not sure whether this needs to be a formal policy suggestion, or whether
this is just common sense.

As things currently stand, whois.afrinic.net leaks authentication
information in mntner objects.  Given that MD5 is now considered
compromised[1], this is a bad thing(tm).

Consider this example from whois.afrinic.net:

  guy at walrus:~% whois -h whois.afrinic.net -- '-r rhodes-mnt'
  % This is the AfriNIC Whois server.

  % Note: this output has been filtered.

  % Information related to 'RHODES-MNT'

  mntner:         RHODES-MNT
  descr:          Rhodes University
  admin-c:        RUAC1-AFRINIC
  tech-c:         RUTC1-AFRINIC
  auth:           MD5-PW $1$YNIwaJCr$o6HscaF6FNVCRsYjIFn1v0
  remarks:        Rhodes University Information Technology Division
  remarks:        http://www.ru.ac.za/
  mnt-by:         RHODES-MNT
  source:         AFRINIC # Filtered

which leaks an MD5 password in the auth: attribute.

Then consider RIPE's output for the equivelent object:

  guy at walrus:~% whois -h whois.ripe.net -- '-r rhodes-mnt'
  % This is the RIPE Database query service.
  % The objects are in RPSL format.
  %
  % The RIPE Database is subject to Terms and Conditions.
  % See http://www.ripe.net/db/support/db-terms-conditions.pdf

  % Note: this output has been filtered.
  %       To receive output for a database update, use the "-B" flag.

  % Information related to 'RHODES-MNT'

  mntner:         RHODES-MNT
  descr:          Rhodes University
  remarks:        see also RHODES-MNT in AfriNIC's database (whois.afrinic.net)
  admin-c:        RUZA1-RIPE
  admin-c:        RUZA1-RIPE
  auth:           MD5-PW # Filtered
  mnt-by:         RHODES-MNT
  referral-by:    RHODES-MNT
  remarks:        Accepted the RIPE Database Terms and Conditions
  source:         RIPE # Filtered

  % This query was served by the RIPE Database Query Service version 1.42 (WHOIS2)

which filters the auth: attribute to remove the MD5 password string, while
still maintaining sufficient information to let me know that the object is
password protected and indeed has an MD5 password.

I would strongly suggest that AfriNIC should be following RIPE's example,
and filtering the auth: attribute of the mntner object in WHOIS output.

Can someone from AfriNIC comment.  If this needs to be a formal policy
proposal, I'm happy to put one together.

- Guy
-- 
Manager: Systems, IT Division, Rhodes University, Grahamstown, South Africa
Email: G.Halse at ru.ac.za   Web: http://mombe.org/   IRC: rm-rf at irc.atrum.org
*** ANSI Standard Disclaimer ***                                    J.A.P.H

[1] http://www.kb.cert.org/vuls/id/836068

More information about the RPD mailing list