From owner-freebsd-bugs  Sun Jun 16 23:20:12 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 6A94737B423
	for <freebsd-bugs@hub.freebsd.org>; Sun, 16 Jun 2002 23:20:01 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g5H6K1W42583;
	Sun, 16 Jun 2002 23:20:01 -0700 (PDT)
	(envelope-from gnats)
Received: from mailhost.chi1.ameritech.net (mailhost1-chcgil.chcgil.ameritech.net [206.141.192.67])
	by hub.freebsd.org (Postfix) with ESMTP id 3E7FF37B439
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 16 Jun 2002 23:10:29 -0700 (PDT)
Received: from harpo.neswold.local ([67.36.186.192])
          by mailhost.chi1.ameritech.net
          (InterMail vM.4.01.02.17 201-229-119) with ESMTP
          id <20020617061025.KCBG9337.mailhost.chi1.ameritech.net@harpo.neswold.local>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Mon, 17 Jun 2002 01:10:25 -0500
Received: by harpo.neswold.local (Postfix, from userid 1000)
	id 074F61A9E1; Mon, 17 Jun 2002 01:10:24 -0500 (CDT)
Message-Id: <20020617061024.074F61A9E1@harpo.neswold.local>
Date: Mon, 17 Jun 2002 01:10:24 -0500 (CDT)
From: Rich Neswold <rneswold@ameritech.net>
Reply-To: Rich Neswold <rneswold@ameritech.net>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/39396: firewall security loophole
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         39396
>Category:       kern
>Synopsis:       firewall security loophole
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 16 23:20:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Rich Neswold
>Release:        FreeBSD 4.5-RC i386
>Organization:
>Environment:
System: FreeBSD harpo.neswold.local 4.5-RC FreeBSD 4.5-RC #1: Sun Jan 27 02:26:46 CST 2002 toor@groucho.neswold.local:/usr/obj/usr/src/sys/HARPO i386

>Description:

    If you use the FreeBSD firewall and set your kernel security level to 3 (so
    that firewall rules cannot be changed), a malicious user that gained root
    access can still circumvent the firewall by disabling it via kernel
    variables (i.e. net.inet.ip.fw.enable = 0)

>How-To-Repeat:

>Fix:

    The attached diffs change the firewall enable variable to have "secure"
    semantics.

Index: sys/netinet/ip_fw.c
===================================================================
RCS file: /home/FreeBSD/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.33
diff -u -w -b -r1.131.2.33 ip_fw.c
--- sys/netinet/ip_fw.c 1 May 2002 21:30:05 -0000       1.131.2.33
+++ sys/netinet/ip_fw.c 3 May 2002 16:49:02 -0000
@@ -95,7 +95,7 @@
 
 #ifdef SYSCTL_NODE
 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
     &fw_enable, 0, "Enable ipfw");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, 
     &fw_one_pass, 0, 


Index: sys/netinet6/ip6_fw.c
===================================================================
RCS file: /home/FreeBSD/src/sys/netinet6/ip6_fw.c,v
retrieving revision 1.2.2.9
diff -u -w -b -r1.2.2.9 ip6_fw.c
--- sys/netinet6/ip6_fw.c       28 Apr 2002 05:40:27 -0000      1.2.2.9
+++ sys/netinet6/ip6_fw.c       3 May 2002 16:49:05 -0000
@@ -116,7 +116,7 @@
 #ifdef SYSCTL_NODE
 SYSCTL_DECL(_net_inet6_ip6);
 SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, enable, CTLFLAG_RW,
+SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
        &ip6_fw_enable, 0, "Enable ip6fw");
 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, debug, CTLFLAG_RW, &fw6_debug, 0, "");
 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw6_verbose, 0, "");

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message