[ Hackerlink ] Linux allows local users to send forged packets

Tue, 2 Nov 1999 01:41:28 -0800 

          Linux allows local users to send forged packets
----------------------------------------------------------------------------
----


SUMMARY

Normal users can send forged packets out of a Linux system - for NFS 
attacks or other protocols relying on IP addresses for authentication - 
even when protected from the outside interfaces by firewalling rules. Most 
of the time, existing firewalling rules are bypassed. This attack requires 
only a shell account on the system.

DETAILS

Although regular users should be able to form raw IP packets under Linux, 
any local user can build and send any packet to any host from most Linux 
systems without needing to exploit a suid flaw. Basically, it corresponds 
to having a 'write only' permissions to raw IP socket on the server 
machine.

You are immune to this problem if one (or more) of the following is true:
 - you do not have local (shell) users

 - SLIP and PPP are not compiled in the kernel and either are not 
available in /lib/modules/* as modules, or are never loaded and 
kerneld/kmod is not available.

 - you use deny-default configuration for your input firewall rules, and 
you don't have accept entries for specific addresses or for unused ppp or 
slip interfaces (and the used ones are never unused or accept rules are 
safely removed at shutdown).

 - you use 2.3.18 with ac6 patch (or higher).

 - you use 2.2.13pre15 (or higher).

Workaround:
 - Make so that SLIP and PPP support are not available

 - Use deny default policy for input firewall, only allow for specific 
address ranges and specific interfaces. For dynamic links (such as SLIP or 
PPP), add an 'accept' rule at link creation time, and remove the entry 
when the link goes down.

Fix:
 - For 2.3.x, install 2.3.18 with the ac6 patch (or higher). Warning, this 
is a DEVELOPMENT kernel.

 - For 2.2.x, install 2.2.13pre15 or higher (e.g. 2.2.13).

 - At this time no fix for 2.0.x is available. Please apply the above 
mentioned workarounds.


ADDITIONAL INFORMATION

This vulnerability and fix information was provided by:  
<mailto:[EMAIL PROTECTED]> Marc SCHAEFER.



======================================== 

-------
AFLHI 058009990407128029/089802---(102598//991024)


    milis ini didukung oleh :
 >> http://www.indolinux.com - dunia linux indonesia
 -------------------------------------------------------------------
 untuk berhenti kirim  email  ke  [EMAIL PROTECTED]
 untuk melihat peraturan kirim email  ke  [EMAIL PROTECTED]
 arsip berada di  http://www.mail-archive.com/[email protected]

Kirim email ke