Re: Local user can send forged packets

Pavel Kankovsky (peakARGO.TROJA.MFF.CUNI.CZ)
Sat, 23 Oct 1999 18:34:56 +0200

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Marc Heuse: "SuSE Security Announcement - ypserv"
• Previous message: Thejian: "Re: Hotmail security vulnerability (viruses)"
• Next in thread: Alan Cox: "Re: Local user can send forged packets"
• Reply: Alan Cox: "Re: Local user can send forged packets"

The advisory did not explain what was the cause of the problem.
(Rant: Why? Will the following explanation help anyone who would not be
able to find out this piece of information himself to abuse the bug?)

As far as I can tell, the problem is this: anyone, including mere mortals,
is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline
on a tty under his control and sent forged datagrams right into the kernel
network subsystem.

I do not believe there is any reason why mortals should ever be allowed to
use TIOCSETD (at least under Linux), therefore adding something like
"if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/
tty_io.c should fix the problem for 2.0 (things are a bit more
complicated in 2.2 but we've already got a fix for 2.2). But remember:
you use it at your own risk, there is no guarantee this patch will not
kill all your family when used improperly.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

• Next message: Marc Heuse: "SuSE Security Announcement - ypserv"
• Previous message: Thejian: "Re: Hotmail security vulnerability (viruses)"
• Next in thread: Alan Cox: "Re: Local user can send forged packets"
• Reply: Alan Cox: "Re: Local user can send forged packets"

This archive was generated by hypermail 2.0b3 on Mon Oct 25 1999 - 14:45:32 CDT