From owner-freebsd-bugs  Tue Sep 10 11:40:03 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA05058
          for bugs-outgoing; Tue, 10 Sep 1996 11:40:03 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA05040;
          Tue, 10 Sep 1996 11:40:01 -0700 (PDT)
Resent-Date: Tue, 10 Sep 1996 11:40:01 -0700 (PDT)
Resent-Message-Id: <199609101840.LAA05040@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, karl@Codebase.mcs.net
Received: from Codebase.mcs.net (codebase.mcs.net [192.160.127.89])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA04938
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 10 Sep 1996 11:39:18 -0700 (PDT)
Received: (from root@localhost) by Codebase.mcs.net (8.7.5/8.6.12) id NAA17069; Tue, 10 Sep 1996 13:39:17 -0500 (CDT)
Message-Id: <199609101839.NAA17069@Codebase.mcs.net>
Date: Tue, 10 Sep 1996 13:39:17 -0500 (CDT)
From: Karl <karl@Codebase.mcs.net>
Reply-To: karl@Codebase.mcs.net
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/1596: Security problem with routed - patch to fix
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         1596
>Category:       bin
>Synopsis:       routed allows writing to any system file
>Confidential:   Yes
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 10 11:40:00 PDT 1996
>Last-Modified:
>Originator:     Karl
>Organization:
MCSNet
>Release:        FreeBSD 2.2-CURRENT i386
>Environment:

	Any user operating routed

>Description:

	Any user anywhere on the Internet can potentially write to any file
	on the system as root through the use of the RIP TRACE facility

>How-To-Repeat:

	Send UDP packet containing RIP TRACE request with the requested
	filename.

>Fix:

The following diff removes the RIP TRACE facility unless the define 
"INSECURE" is present at the time of the build.  There is no known way
to safely permit this trace activity to take place.

MCSNet was not the originator of discovery for this problem.

Index: input.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/routed/input.c,v
retrieving revision 1.4
diff -r1.4 input.c
288a289
> #ifdef	INSECURE
310c311
< 
---
> #endif


-- Karl Denninger
karl@mcs.net
>Audit-Trail:
>Unformatted: