From owner-freebsd-security@FreeBSD.ORG Thu Jul 14 17:04:31 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0903516A41C for ; Thu, 14 Jul 2005 17:04:31 +0000 (GMT) (envelope-from ricardo_bsd@yahoo.com.br) Received: from maritaca.epm.br (diego.epm.br [200.17.25.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BB4043D45 for ; Thu, 14 Jul 2005 17:04:30 +0000 (GMT) (envelope-from ricardo_bsd@yahoo.com.br) Received: from localhost (localhost.localdomain [127.0.0.1]) by maritaca.epm.br (Postfix) with ESMTP id 4EBC43A6F; Thu, 14 Jul 2005 14:04:25 -0300 (BRST) Received: from [172.22.1.166] (ricardo.epm.br [172.22.1.166]) by maritaca.epm.br (Postfix) with ESMTP id 906FA3A6B; Thu, 14 Jul 2005 14:03:58 -0300 (BRST) Message-ID: <42D69AF8.1000304@yahoo.com.br> Date: Thu, 14 Jul 2005 14:03:52 -0300 From: Ricardo A Reis User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050706) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Avleen Vig References: <20050714162656.GH11612@silverwraith.com> In-Reply-To: <20050714162656.GH11612@silverwraith.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit UNIFESP-Virus-Scanned: by amavisd-new at dis.epm.br Cc: freebsd-security@freebsd.org Subject: Re: [ronvdaal@zarathustra.linux666.com: Possible security issue with FreeBSD 5.4 jailing and BPF] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 17:04:31 -0000 I starting jail + devfs rules, in 5.4-STABLE using rc.conf. See the real entrie.. ------------------ jail_vhosts_rootdir="/usr/jail/vhosts" jail_vhosts_hostname="vhosts.epm.br" jail_vhosts_ip="127.0.0.3" jail_vhosts_exec_start="/bin/sh /etc/rc" jail_vhosts_exec_stop="/bin/sh /etc/rc.shutdown" jail_vhosts_devfs_enable="YES" jail_vhosts_fdescfs_enable="NO" jail_vhosts_procfs_enable="YES" jail_vhosts_mount_enable="NO" jail_vhosts_devfs_ruleset="devfsrules_jail" ----"this use default default devfs rule for best security in jail enviroment" jail_vhosts_fstab="" ---------------------- In Jail i test your possible issue !!! vhosts# ifconfig rl0: flags=8843 mtu 1500 options=8 ether 00:08:54:1a:68:b1 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.3 netmask 0xffffffff pflog0: flags=141 mtu 33208 vhosts# tcpdump -nni rl0 tcpdump: (no devices found) /dev/bpf0: No such file or directory vhosts# tcpdump -nni lo0 tcpdump: (no devices found) /dev/bpf0: No such file or directory Atenciosamente Ricardo A. Reis UNIFESP - SENAI Unix and System Admin >This message was sent to bugtraq today: > > >While playing around with FreeBSD 5.4 and jailing I discovered that it was >possible to put an ethernet interface into promiscious mode from within the >jailed environment, allowing a packetsniffer to gather data not meant for >the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x >This can be reproduced on boxes where BPF support is enabled in the kernel >and a BPF device is available in the jail (badly configured devfs/no rules) > >The problem lies within the FreeBSD 5.x BPF kernel code: > >"The Berkeley Packet Filter provides a raw interface to data link layers >in a protocol independent fashion. The function bpfopen() opens an >Ethernet device. There is a conditional which disallows any jailed >processes from accessing this function." > >This conditional was present in the 4.x series kernels but is missing >in 5.x and thus allowing free access to bpfopen() from within a jailed >environment. I think this is related to the changed jailing code between >these kernels. I don't believe this has been left out on purpose in favor >of devfs rulesets (...) If not, I'd like to have some comments on this. > > >Example: > >jail# uname -a >FreeBSD jail 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC >2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 > >The ethernet interface of the host (parent) is not in promiscious mode. >The interface of the jailed environment isn't in promiscious mode either: > >jail# ifconfig | grep fxp0 >fxp0: flags=8843 mtu 1500 > > >Now starting tcpdump in the jail: > >jail# tcpdump -i fxp0 >tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes > > >Checking the interface again within the jail: > >jail# ifconfig | grep fxp0 >fxp0: flags=8943 mtu 1500 > >The interface is running in promiscious mode. > > >The host environment shows that the tcpdump process runs in a jail: > >root@nietzsche# ps aux|grep tcpdump >root 50551 0.0 0.9 3784 2248 p4 S+J 8:37PM 0:00.04 tcpdump >- -i fxp0 > >The P_JAILED flag is set. > > >Conclusion: > >Usage of devfs rulesets is highly recommended as stated in the manpages. >Though a misconfiguration at this point would expose a big security issue. >The question is: should bpfopen() in bpf.c check for a jailed proc or not? > > >Grt, > >Ron van Daal >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > >