[12337] in bugtraq
Re: Local user can send forged packets
daemon@ATHENA.MIT.EDU (Alan Cox)
Tue Oct 26 13:59:03 1999
Content-Type: text
Message-Id: <E11fr92-0001Vz-00@the-village.bc.nu>
Date: Mon, 25 Oct 1999 21:55:06 +0100
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: peak@ARGO.TROJA.MFF.CUNI.CZ
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991023180558.255.0@bobanek.nowhere.cz> from "Pavel Kankovsky"
at Oct 23, 99 06:34:56 pm
> is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline
> on a tty under his control and sent forged datagrams right into the kernel
> network subsystem.
Yep.
> I do not believe there is any reason why mortals should ever be allowed to
> use TIOCSETD (at least under Linux), therefore adding something like
> "if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/
Several daemons drop privilege, you stop them restoring the state and thus
expose a new exciting hole. Just copy the 2.2 fix - stop the ldisc open, that
enforces what you need.
A related issue by the way is that pppd and other apps must be careful to
avoid other users of the tty holding on to the handle, otherwise an attack
exists where you may be able to keep access to a tty that is turned slip by
another process
Alan
