Date: Mon, 16 Jul 2001 19:33:01 +0200 (CEST) From: Pierre Beyssac <pb@fasterix.freenix.org> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/29026: traceroute -s option allows IP spoofing for non-root Message-ID: <200107161733.f6GHX1Z17088@fasterix.frmug.org>
next in thread | raw e-mail | index | archive | help
>Number: 29026
>Category: bin
>Synopsis: traceroute -s option allows any IP address
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 16 10:40:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Pierre Beyssac
>Release: FreeBSD 2, 3, 4, 5
>Organization:
individual
>Environment:
traceroute -s option doesn't check that the provided source address
exists on the host, even when not running as root.
I believe this used to be checked by the bind() call below, but
this code is not activated anymore and has not been for a long
time, and even reactivating it doesn't seem to fix the problem.
This has been broken since FreeBSD 2.2.6 at least (oldest release
I have access to).
I'll be working on a fix unless someone beats me to it.
#ifndef IP_HDRINCL
if (bind(sndsock, (struct sockaddr *)&from, sizeof(from)) < 0) {
Fprintf(stderr, "%s: bind: %s\n",
prog, strerror(errno));
exit (1);
}
#endif
Pierre
>Description:
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107161733.f6GHX1Z17088>