[12335] in bugtraq
Re: Local user can send forged packets
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Mon Oct 25 17:16:09 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <19991023180558.255.0@bobanek.nowhere.cz>
Date: Sat, 23 Oct 1999 18:34:56 +0200
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9910221033270.30973-100000@vulcan.alphanet.ch>
The advisory did not explain what was the cause of the problem.
(Rant: Why? Will the following explanation help anyone who would not be
able to find out this piece of information himself to abuse the bug?)
As far as I can tell, the problem is this: anyone, including mere mortals,
is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline
on a tty under his control and sent forged datagrams right into the kernel
network subsystem.
I do not believe there is any reason why mortals should ever be allowed to
use TIOCSETD (at least under Linux), therefore adding something like
"if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/
tty_io.c should fix the problem for 2.0 (things are a bit more
complicated in 2.2 but we've already got a fix for 2.2). But remember:
you use it at your own risk, there is no guarantee this patch will not
kill all your family when used improperly.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
