Bugtraq mailing list archives
Re: Local user can send forged packets
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Mon, 25 Oct 1999 21:55:06 +0100
is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline on a tty under his control and sent forged datagrams right into the kernel network subsystem.
Yep.
I do not believe there is any reason why mortals should ever be allowed to use TIOCSETD (at least under Linux), therefore adding something like "if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/
Several daemons drop privilege, you stop them restoring the state and thus expose a new exciting hole. Just copy the 2.2 fix - stop the ldisc open, that enforces what you need. A related issue by the way is that pppd and other apps must be careful to avoid other users of the tty holding on to the handle, otherwise an attack exists where you may be able to keep access to a tty that is turned slip by another process Alan
Current thread:
- Local user can send forged packets Marc SCHAEFER (Oct 22)
- Re: Local user can send forged packets Pavel Kankovsky (Oct 23)
- IBM AIX Packet Filter module Brumbles (Oct 25)
- Re: IBM AIX Packet Filter module Troy A. Bollinger (Oct 26)
- Re: IBM AIX Packet Filter module (followup) Brumbles (Oct 27)
- IBM AIX Packet Filter module Brumbles (Oct 25)
- Re: Local user can send forged packets Alan Cox (Oct 25)
- Re: Local user can send forged packets Solar Designer (Oct 27)
- Re: Local user can send forged packets Pavel Kankovsky (Oct 23)
- SuSE Security Announcement - ypserv Marc Heuse (Oct 24)
- password leak in IBM WebSphere / HTTP Server / ikeyman Major Malfunction (Oct 24)