[13111] in bugtraq
Re: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)
daemon@ATHENA.MIT.EDU (Yuri Kuzmenko)
Mon Dec 27 18:24:09 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9912272114040.1607-100000@cs.liga.kiev.ua>
Date: Mon, 27 Dec 1999 21:31:15 +0200
Reply-To: Yuri Kuzmenko <yuri@CS.LIGA.KIEV.UA>
From: Yuri Kuzmenko <yuri@CS.LIGA.KIEV.UA>
X-To: Noam Rathaus <noamr@securiteam.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <003d01bf509c$286fd080$0600a8c0@noambs>
Hi!
Non-root users can change the SPEED of shaped interface. I.e., usual user
can run "shapecfg speed shaper0 XXX" with success result. In my case
non-root user increases speed of shaped interface to my proxy server. Yep,
NO ANY suid's on `which shapecfg`. It's has 0755 permission.
All if this means that traffic shaper in insecure because can be
configured by any user with shell account.
Second bug is this:
Documentation/networking/shaper.txt:
o The shaper must be a module
But traffic shaper in "make menuconfig" can be compiled into kernel.
So, shaper which compiled into kernel simple not work. Next, I have
compiled shaper module "on fly" and insmod it (shaper compiled into
kernel at this moment). Then I configure shaped interface and kernel
failed in "swapper" process after first use of this interface (simple
ping).
Maybe second bug is not a shaper issue, but "make menuconfig" should be
fixed.
// Yuri Kuzmenko, system administrator
// LIGA ONLINE - http://www.liga.kiev.ua
On Mon, 27 Dec 1999, Noam Rathaus wrote:
> Hi,
>
> Can you explain better this vulnerability?
>
> You are very vague (unclear) on what this security vulnerability consists
> of?
>
> What do you mean a non-root user can configure traffic shaper?
>
> How is this done? What does the 'make menuconfig' has to do with it?
>
> What do you mean by: "So, result is kernel trap when first use of shaped
> interface."?
>
> Thanks for the additional information.
> Noam Rathaus
> http://www.SecuriTeam.com
>
> ----- Original Message -----
> From: Yuri Kuzmenko <yuri@CS.LIGA.KIEV.UA>
> To: <BUGTRAQ@SECURITYFOCUS.COM>
> Sent: Friday, December 24, 1999 11:33 AM
> Subject: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)
>
>
> > // Yuri Kuzmenko, system administrator
> > // LIGA ONLINE - http://www.liga.kiev.ua
> >
> > ---------- Forwarded message ----------
> > Date: Thu, 23 Dec 1999 19:49:11 +0200 (EET)
> > From: Yuri Kuzmenko <yuri@cs.liga.kiev.ua>
> > To: linux-kernel@vger.rutgers.edu
> > Subject: BUG? Non-root user can configure traffic shaper (2.2.13)
> >
> > Hi!
> >
> > Standard traffic shaper in 2.2.13 kernel is a very simple and cool thing.
> >
> > But speed of shapered device successfully configured by non-root user.
> > This is very bad...
> >
> > Also, traffic shaper works correctly only when it's compiled as a module.
> > But I can select in "make menuconfig" to compile shaper into kernel
> > (2.2.13). So, result is kernel trap when first use of shaped interface.
> >
> > // Yuri Kuzmenko, system administrator
> > // LIGA ONLINE - http://www.liga.kiev.ua
> >
>
