Date: Mon, 17 Jun 2002 01:10:24 -0500 (CDT) From: Rich Neswold <rneswold@ameritech.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/39396: firewall security loophole Message-ID: <20020617061024.074F61A9E1@harpo.neswold.local>
next in thread | raw e-mail | index | archive | help
>Number: 39396 >Category: kern >Synopsis: firewall security loophole >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jun 16 23:20:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Rich Neswold >Release: FreeBSD 4.5-RC i386 >Organization: >Environment: System: FreeBSD harpo.neswold.local 4.5-RC FreeBSD 4.5-RC #1: Sun Jan 27 02:26:46 CST 2002 toor@groucho.neswold.local:/usr/obj/usr/src/sys/HARPO i386 >Description: If you use the FreeBSD firewall and set your kernel security level to 3 (so that firewall rules cannot be changed), a malicious user that gained root access can still circumvent the firewall by disabling it via kernel variables (i.e. net.inet.ip.fw.enable = 0) >How-To-Repeat: >Fix: The attached diffs change the firewall enable variable to have "secure" semantics. Index: sys/netinet/ip_fw.c =================================================================== RCS file: /home/FreeBSD/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.33 diff -u -w -b -r1.131.2.33 ip_fw.c --- sys/netinet/ip_fw.c 1 May 2002 21:30:05 -0000 1.131.2.33 +++ sys/netinet/ip_fw.c 3 May 2002 16:49:02 -0000 @@ -95,7 +95,7 @@ #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, &fw_enable, 0, "Enable ipfw"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, &fw_one_pass, 0, Index: sys/netinet6/ip6_fw.c =================================================================== RCS file: /home/FreeBSD/src/sys/netinet6/ip6_fw.c,v retrieving revision 1.2.2.9 diff -u -w -b -r1.2.2.9 ip6_fw.c --- sys/netinet6/ip6_fw.c 28 Apr 2002 05:40:27 -0000 1.2.2.9 +++ sys/netinet6/ip6_fw.c 3 May 2002 16:49:05 -0000 @@ -116,7 +116,7 @@ #ifdef SYSCTL_NODE SYSCTL_DECL(_net_inet6_ip6); SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, enable, CTLFLAG_RW, +SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, &ip6_fw_enable, 0, "Enable ip6fw"); SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, debug, CTLFLAG_RW, &fw6_debug, 0, ""); SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw6_verbose, 0, ""); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020617061024.074F61A9E1>