linux.forged.packets.txt

`Date: Sat, 23 Oct 1999 18:34:56 +0200  
Reply-To: Pavel Kankovsky <[email protected]>  
  
  
The advisory did not explain what was the cause of the problem.  
(Rant: Why? Will the following explanation help anyone who would not be  
able to find out this piece of information himself to abuse the bug?)  
  
As far as I can tell, the problem is this: anyone, including mere mortals,  
is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline  
on a tty under his control and sent forged datagrams right into the kernel  
network subsystem.  
  
I do not believe there is any reason why mortals should ever be allowed to  
use TIOCSETD (at least under Linux), therefore adding something like  
"if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/  
tty_io.c should fix the problem for 2.0 (things are a bit more  
complicated in 2.2 but we've already got a fix for 2.2). But remember:  
you use it at your own risk, there is no guarantee this patch will not  
kill all your family when used improperly.  
  
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms]  
"Resistance is futile. Open your source code and prepare for  
assimilation."   
  
  
  
NAME  
user-rawip-attack  
AUTHOR  
Marc SCHAEFER <[email protected]>  
with the help of Alan COX (for the fix)  
and of Andreas Trottmann <[email protected]> for the  
work-around idea.  
VERSION  
$Id: user-raw-IP,v 1.3 1999/10/22 08:33:10 schaefer Exp $  
  
ABSTRACT  
Forged packets can be send out from a Linux system, for example  
for NFS attacks or any other protocol relying on addresses for  
authentification, even when protected from the outside interfaces  
by firewalling rules. Most of the time, existing firewalling  
rules are bypassed. This requires at least a shell account on the  
system.  
  
IMPACT  
Any local user can send any packet to any host from most Linux default  
installations without of the use of any permission problem or  
suid flaw. Basically, it corresponds to having write only permissions  
to raw IP socket on the server machine.  
  
IMMUNE CONFIGURATIONS  
You are immune to this problem if one (or more) of the following  
is true:  
  
- you do not have local (shell) users  
  
- SLIP and PPP are not compiled-in the kernel and either  
are not available in /lib/modules/* as modules, or are  
never loaded and kerneld/kmod is not available.  
  
- you use deny-default configuration for your input firewall rules,  
and you don't have accept entries for specific addresses or  
for unused ppp or slip interfaces (and the used ones are  
never unused or accept rules are safely removed at shutdown).  
  
- you use 2.3.18 with ac6 patch (or higher).  
  
- you use 2.2.13pre15 (or higher).  
  
OPERATING SYSTEMS  
Linux (any until recently)  
  
POSSIBLE-WORK-AROUNDS  
- Make so that SLIP and PPP support are not available  
or  
- Use deny default policy for input firewall, only allow for  
specific address ranges and specific interfaces. For dynamic links  
(such as SLIP or PPP), add an accept at link creation time, and  
remove the entry when the link goes down.  
  
FIX  
- For 2.3.x, install 2.3.18 with the ac6 patch (or higher). Warning,  
this is a DEVELOPMENT kernel.  
- For 2.2.x, install 2.2.13pre15 or higher (e.g. 2.2.13).  
- At this time no fix for 2.0.x. Please apply the above mentionned  
work-arounds.  
  
EXPLOIT  
Please do not request exploit from the listed authors. Requests for  
exploits will be ignored. A working exploit exists and has been  
tested on current Linux distributions. It is possible that an  
exploit be posted some time in the future (or that someone reads  
this and does it by himself ...).  
  
NOTES  
This advisory is for information only. No warranty either expressed  
or implied. Full disclosure and dissemination are allowed as long as  
this advisory is published in full. No responsability will be taken  
from abuse or lack of use of the information in this advisory.  
  
`