OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ethernet cards & promisc mode
From: Granquist, Lamont (lamontICOPYRIGHT.COM)
Date: Fri May 05 2000 - 12:29:50 CDT

The capability bounding set will also let you do this. Just read
/usr/include/linux/capabilities.h and cat the appropriate value into
/proc/sys/kernel/cap-bound during your boot sequence.

On Fri, 5 May 2000, David LaPorte wrote:
> The Linux Intrusion Detection System patch (LIDS) seems to allow disabling
> promiscuous mode at the kernel level. I haven't personally tried it, but it
> is listed as a feature:
>
> http://www.lids.org/lids-howto/lids-hacking-howto-8.html#ss8.2
>
> Hope this helps,
>
> Dave LaPorte
>
> -----Original Message-----
> From: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]On Behalf Of
> Granquist, Lamont
> Sent: Thursday, May 04, 2000 4:18 PM
> To: VULN-DEVSECURITYFOCUS.COM
> Subject: Re: ethernet cards & promisc mode
>
>
> Disabling capabilities (e.g. CAP_KILL CAP_LINUX_IMMUTABLE CAP_NET_ADMIN
> CAP_NET_RAW CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_SYS_ADMIN
> CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_TTY_CONFIG) should go a long way towards
> preventing these kinds of attacks.
>
> On Thu, 4 May 2000, C.J. Oster wrote:
> > I'm fairly sure it's a driver issue, not the card allowing you to do so or
> > not. You could always take the kernel module and turn off it's ability to
> > enter promisc mode. You may have to hack the ethernet layer also.
> > Promisc mode just means the driver stops checking it's hardware address
> > against the destination address, so I belive that this is a driver issue.
> > You can only enter promisc mode as root anyway, so if an attacker got that
> > far, nothing prevents him from building a working driver and using that.
> > You could force the attacker to build an entire kernel and reboot the
> > machine by building the card driver into the kernel rather than a module,
> > but one can still work around that as well.
> >
> > -CJO-
> >
> > On Wed, 3 May 2000, Security Team wrote:
> >
> > >are there any ethernet cards on the market that work well with linux,
> that
> > >dont allow you
> > >to go into promisc mode?
> > >
> > >kw
> > >
> > >
> >
> > C.J. Oster (Linux Guru/Surge Addict) cjopobox.com
> > ----------------------------------------------------------------------
> > Network Security Manager Unix System Administrator
> > For BHNet, Bromley Hall Workstation Services Group/CCSO
> > Hoover and Associates University of Illinois at
> > securitybromleygroup.com Urbana-Champaign
> > (217)355.1132 (217)265.8427
> > ----------------------------------------------------------------------
> >
> > PGP: 87D5 4216 43A1 42D6 754D 8F5E 24B3 992A B7A1 F556
> >
> > "If builders built buildings like programmers write programs,
> > the first woodpecker that came along would have destroyed
> > civilization." --Murphy
> >
>