Date: Sun, 8 Sep 1996 06:40:01 -0700 (PDT) From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-bugs Subject: Re: bin/1581: Traceroute SECURITY PROBLEM -- PRIORITY 1 Message-ID: <199609081340.GAA01137@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/1581; it has been noted by GNATS.
From: roberto@keltia.freenix.fr (Ollivier Robert)
To: karl@Codebase.mcs.net
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/1581: Traceroute SECURITY PROBLEM -- PRIORITY 1
Date: Sun, 8 Sep 1996 15:33:16 +0200
According to Karl:
> Diff enclosed fixes problem. Two things are done:
> 1) strcpys replaced with strncpys specifying length
> 2) SUID privileges relinquished once socket is acquired; they
> are no longer necessary.
While I agree with the strcpy -> strncpy changes, you should note that
priviledges are relinquished for a long time...
#ifndef lint
static char *rcsid =
"@(#)$Header: /spare/FreeBSD-current/src/usr.sbin/traceroute/traceroute.c,v
1.10 1996/08/21 05:59:19 peter Exp $ (LBL)";
#endif
[...line 299...]
/*
* Do the setuid-required stuff first, then lose priveleges ASAP.
* Do error checking for these two calls where they appeared in
* the original code.
*/
pe = getprotobyname("icmp");
if (pe) {
if ((s = socket(AF_INET, SOCK_RAW, pe->p_proto)) < 0)
sockerrno = errno;
else if ((sndsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
sockerrno = errno;
}
setuid(getuid());
[...]
So the attack can't be used for getting root priv.
--
Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #21: Sun Sep 8 14:35:00 MET DST 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609081340.GAA01137>