Archive : 1999 : october : rawip - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku
Local user can send forged packets



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Пт, 22 окт 1999  12:34:33

   От: Marc SCHAEFER <schaefer@ALPHANET.CH>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: Local user can send forged packets

--------------------------------------------------------------------------------




NAME

   user-rawip-attack

AUTHOR

   Marc SCHAEFER <schaefer@alphanet.ch>

      with the help of Alan COX (for the fix)

      and of Andreas Trottmann <andreas.trottmann@werft22.com> for the

      work-around idea.

VERSION

   $Id: user-raw-IP,v 1.3 1999/10/22 08:33:10 schaefer Exp $



ABSTRACT

   Forged packets can be send out from a Linux system, for example

   for NFS attacks or any other protocol relying on addresses for

   authentification, even when protected from the outside interfaces

   by firewalling rules. Most of the time, existing firewalling

   rules are bypassed. This requires at least a shell account on the

   system.



IMPACT

   Any local user can send any packet to any host from most Linux default

   installations without of the use of any permission problem or

   suid flaw. Basically, it corresponds to having write only permissions

   to raw IP socket on the server machine.



IMMUNE CONFIGURATIONS

   You are immune to this problem if one (or more) of the following

   is true:



      - you do not have local (shell) users



      - SLIP and PPP are not compiled-in the kernel and either

        are not available in /lib/modules/* as modules, or are

        never loaded and kerneld/kmod is not available.



      - you use deny-default configuration for your input firewall rules,

        and you don't have accept entries for specific addresses or

        for unused ppp or slip interfaces (and the used ones are

        never unused or accept rules are safely removed at shutdown).



      - you use 2.3.18 with ac6 patch (or higher).



      - you use 2.2.13pre15 (or higher).



OPERATING SYSTEMS

   Linux (any until recently)



POSSIBLE-WORK-AROUNDS

   - Make so that SLIP and PPP support are not available

or

   - Use deny default policy for input firewall, only allow for

     specific address ranges and specific interfaces. For dynamic links

     (such as SLIP or PPP), add an accept at link creation time, and

     remove the entry when the link goes down.



FIX

   - For 2.3.x, install 2.3.18 with the ac6 patch (or higher). Warning,

     this is a DEVELOPMENT kernel.

   - For 2.2.x, install 2.2.13pre15 or higher (e.g. 2.2.13).

   - At this time no fix for 2.0.x. Please apply the above mentionned

     work-arounds.



EXPLOIT

   Please do not request exploit from the listed authors. Requests for

   exploits will be ignored. A working exploit exists and has been

   tested on current Linux distributions. It is possible that an

   exploit be posted some time in the future (or that someone reads

   this and does it by himself ...).



NOTES

   This advisory is for information only. No warranty either expressed

   or implied. Full disclosure and dissemination are allowed as long as

   this advisory is published in full. No responsability will be taken

   from abuse or lack of use of the information in this advisory.