From owner-freebsd-security Wed Jan 31 00:27:00 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA00609 for security-outgoing; Wed, 31 Jan 1996 00:27:00 -0800 (PST) Received: from relay.philips.nl (ns.philips.nl [130.144.65.1]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id AAA00601 for ; Wed, 31 Jan 1996 00:26:50 -0800 (PST) Received: (from smap@localhost) by relay.philips.nl (8.6.9/8.6.9-950414) id JAA20152 for ; Wed, 31 Jan 1996 09:26:17 +0100 Received: from unknown(192.26.173.32) by ns.philips.nl via smap (V1.3+ESMTP) with ESMTP id sma019888; Wed Jan 31 09:24:01 1996 Received: from spooky.lss.cp.philips.com (spooky.lss.cp.philips.com [130.144.199.105]) by smtp.nl.cis.philips.com (8.6.10/8.6.10-0.9z-02May95) with ESMTP id JAA18522 for ; Wed, 31 Jan 1996 09:24:42 +0100 Received: (from guido@localhost) by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) id JAA20374 for freebsd-security@freebsd.org; Wed, 31 Jan 1996 09:23:51 +0100 Received: from smtp.nl.cis.philips.com (ns.nl.cis.philips.com [192.26.173.32]) by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) with ESMTP id AAA10125 for ; Wed, 31 Jan 1996 00:15:56 +0100 Received: from relay.philips.nl ([130.144.65.129]) by smtp.nl.cis.philips.com (8.6.10/8.6.10-0.9z-02May95) with ESMTP id AAA00701 for ; Wed, 31 Jan 1996 00:16:45 +0100 Received: (from smap@localhost) by relay.philips.nl (8.6.9/8.6.9-950414) id AAA24703 for ; Wed, 31 Jan 1996 00:15:54 +0100 Received: from sydney2.world.net(198.142.12.2) by ns.philips.nl via smap (V1.3+ESMTP) with ESMTP id sma024680; Wed Jan 31 00:15:32 1996 Received: from suburbia.net (suburbia.net [203.4.184.1]) by world.net (8.7.1/8.6.6) with ESMTP id KAA21447; Wed, 31 Jan 1996 10:10:25 +1100 (EST) Received: (majordom@localhost) by suburbia.net (8.7.3/Proff-950810) id KAA18813 for best-of-security-outgoing; Wed, 31 Jan 1996 10:01:41 +1100 X-Authentication-Warning: suburbia.net: majordom set sender to owner-best-of-security using -f Received: from world.net (sydney2.world.net [198.142.12.2]) by suburbia.net (8.7.3/Proff-950810) with ESMTP id KAA18805 for ; Wed, 31 Jan 1996 10:01:35 +1100 Received: from underground.org (underground.org [205.164.71.100]) by world.net (8.7.1/8.6.6) with ESMTP id KAA15135 for ; Wed, 31 Jan 1996 10:01:03 +1100 (EST) Received: (from aleph1@localhost) by underground.org (8.7.1/8.7.1) id PAA04830; Tue, 30 Jan 1996 15:18:22 -0800 Date: Tue, 30 Jan 1996 15:18:21 -0800 (PST) From: "Aleph's K-Rad GECOS Field" To: linux-security@tarsier.cv.nrao.edu cc: linux-alert@tarsier.cv.nrao.edu, bugtraq@crimelab.com, best-of-security@suburbia.net Subject: BoS: bind() Security Problems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Reply-To: nobody@mail.uu.net Sender: owner-security@FreeBSD.ORG Precedence: bulk System Call: bind() Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix Probably others. Requirement: account on system. Security Compromise: Stealing packets from nfsd, yppasswd, ircd, etc. Credits: *Hobbit* bitblt Aleph One Synopsis: bind() does not properly check to make sure there is not a socket already bound to INADDR_ANY on the same port when binding to a specific address. On most systems, a combination of setting the SO_REUSEADDR socket option, and a call to bind() allows any process to bind to a port to which a previous process has bound width INADDR_ANY. This allows a user to bind to the specific address of a server bound to INADDR_ANY on an unprivileged port, and steal its udp packets/tcp connection. Exploit: Download and compile netcat from ftp://ftp.avian.org/src/hacks/nc100.tgz Make sure an nfs server is running: w00p% netstat -a | grep 2049 udp 0 0 *.2049 *.* LISTEN Run netcat: w00p% nc -v -v -u -s 192.88.209.5 -p 2049 listening on [192.88.209.5] 2049 ... Wait for packets to arrive. Fix: Linux: A patch was been sent to Linus and Alan Cox. It should be included with 1.3.60. My original patch (included bellow) allows for binds from the same uid, as some virtual hosting software like modified httpds, and ftpds, may break otherwise. Alan didnt like this, so all bind to the same port will not be allowed in newer kernels. You should be able to easily adapt this patch or Alan's patch to 1.2.13 without much trouble. Others: Pray to your vendors. --- begin patch --- diff -u --recursive --new-file linux-1.3.57/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c --- linux-1.3.57/net/ipv4/af_inet.c Mon Dec 25 20:03:01 1995 +++ linux/net/ipv4/af_inet.c Tue Jan 16 19:46:28 1996 @@ -46,6 +46,8 @@ * Germano Caronni : Assorted small races. * Alan Cox : sendmsg/recvmsg basic support. * Alan Cox : Only sendmsg/recvmsg now supported. + * Aleph One : Rogue processes could steal packets + * from processes bound to INADDR_ANY. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -899,6 +901,12 @@ if (sk2->num != snum) continue; /* more than one */ + if ((sk2->rcv_saddr == 0 || sk->rcv_saddr == 0) && + current->euid != sk2->socket->inode->i_uid) + { + sti(); + return(-EADDRINUSE); + } if (sk2->rcv_saddr != sk->rcv_saddr) continue; /* socket per slot ! -FB */ if (!sk2->reuse || sk2->state==TCP_LISTEN) Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01