exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

linux.forged.packets.txt

linux.forged.packets.txt
Posted Oct 26, 1999
Authored by Marc Schaefer

Forged packets can be send out from a Linux system, for example for NFS attacks or any other protocol relying on addresses for authentification, even when protected from the outside interfaces by firewalling rules. Most of the time, existing firewalling rules are bypassed. This requires at least a shell account on the system.

tags | exploit, shell, protocol
systems | linux
SHA-256 | 8d159590c7c839774eb2f8a7c4dddf0737f16a6cf7e3d10393036232f45f5469

linux.forged.packets.txt

Change Mirror Download
Date:         Sat, 23 Oct 1999 18:34:56 +0200
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>


The advisory did not explain what was the cause of the problem.
(Rant: Why? Will the following explanation help anyone who would not be
able to find out this piece of information himself to abuse the bug?)

As far as I can tell, the problem is this: anyone, including mere mortals,
is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline
on a tty under his control and sent forged datagrams right into the kernel
network subsystem.

I do not believe there is any reason why mortals should ever be allowed to
use TIOCSETD (at least under Linux), therefore adding something like
"if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/
tty_io.c should fix the problem for 2.0 (things are a bit more
complicated in 2.2 but we've already got a fix for 2.2). But remember:
you use it at your own risk, there is no guarantee this patch will not
kill all your family when used improperly.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms]
"Resistance is futile. Open your source code and prepare for
assimilation."



NAME
user-rawip-attack
AUTHOR
Marc SCHAEFER <schaefer@alphanet.ch>
with the help of Alan COX (for the fix)
and of Andreas Trottmann <andreas.trottmann@werft22.com> for the
work-around idea.
VERSION
$Id: user-raw-IP,v 1.3 1999/10/22 08:33:10 schaefer Exp $

ABSTRACT
Forged packets can be send out from a Linux system, for example
for NFS attacks or any other protocol relying on addresses for
authentification, even when protected from the outside interfaces
by firewalling rules. Most of the time, existing firewalling
rules are bypassed. This requires at least a shell account on the
system.

IMPACT
Any local user can send any packet to any host from most Linux default
installations without of the use of any permission problem or
suid flaw. Basically, it corresponds to having write only permissions
to raw IP socket on the server machine.

IMMUNE CONFIGURATIONS
You are immune to this problem if one (or more) of the following
is true:

- you do not have local (shell) users

- SLIP and PPP are not compiled-in the kernel and either
are not available in /lib/modules/* as modules, or are
never loaded and kerneld/kmod is not available.

- you use deny-default configuration for your input firewall rules,
and you don't have accept entries for specific addresses or
for unused ppp or slip interfaces (and the used ones are
never unused or accept rules are safely removed at shutdown).

- you use 2.3.18 with ac6 patch (or higher).

- you use 2.2.13pre15 (or higher).

OPERATING SYSTEMS
Linux (any until recently)

POSSIBLE-WORK-AROUNDS
- Make so that SLIP and PPP support are not available
or
- Use deny default policy for input firewall, only allow for
specific address ranges and specific interfaces. For dynamic links
(such as SLIP or PPP), add an accept at link creation time, and
remove the entry when the link goes down.

FIX
- For 2.3.x, install 2.3.18 with the ac6 patch (or higher). Warning,
this is a DEVELOPMENT kernel.
- For 2.2.x, install 2.2.13pre15 or higher (e.g. 2.2.13).
- At this time no fix for 2.0.x. Please apply the above mentionned
work-arounds.

EXPLOIT
Please do not request exploit from the listed authors. Requests for
exploits will be ignored. A working exploit exists and has been
tested on current Linux distributions. It is possible that an
exploit be posted some time in the future (or that someone reads
this and does it by himself ...).

NOTES
This advisory is for information only. No warranty either expressed
or implied. Full disclosure and dissemination are allowed as long as
this advisory is published in full. No responsability will be taken
from abuse or lack of use of the information in this advisory.

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close