Vulnerability Development mailing list archives
Re: forged packets?
From: rrpermeh () RCONNECT COM (Ryan Permeh)
Date: Mon, 25 Oct 1999 12:37:34 -0500
Root has always been able to spoof ip packets, and i beleive that you must be root to run nmap in -D mode. -D mode will send "EXTRA" packets, to mask where you are, but you still need your packets to go in, unless you are decoying as someone on a sniffable segment that you have access to. This bug is due to world writeable IP device permissions, allowing anyone to write wahtever they want to the device. This bug seems to be in the ppp/slip code, since the person who starts the ppp/slip session is listed as owner of the local device and can write directly to it. you do need root access to legitimately "spoof" packets in any normal mode. This can be fixed by using default deny in firewall rules, or patching ppp to have certain lmits, as i bleeive that is what the patches listed at the bottom of the post will do. The reason arbitrary people can spoof packets is due to the fact that arbitrary people can own networking devices, due to how ppp works. otherwise, you couldn't do this. Ryan Kelvin Fu wrote:
All, Forgive me if Im asking a stupid question this issue has been bothering for quite some time now. Anyhow, here goes. Marc SCHAEFER recently sent a message titled ' Local user can send forged packets' to bugtraq. I quote : " NAME user-rawip-attack ABSTRACT Forged packets can be send out from a Linux system, for example for NFS attacks or any other protocol relying on addresses for authentification, even when protected from the outside interfaces by firewalling rules. Most of the time, existing firewalling rules are bypassed. This requires at least a shell account on the system. IMPACT Any local user can send any packet to any host from most Linux default installations without of the use of any permission problem or suid flaw. Basically, it corresponds to having write only permissions to raw IP socket on the server machine." AFAIK, a local user ( root?) on a linux system if running nmap is able to perform decoy scans with the -D option. This option enables a user to 'spoof' his/her IP address to that of another host which will result in the spoofed Ip to appear to be scanning the victim. If Im not wrong, doesnt this ability to be able to spoof IP addresses coincide with the 'user-rawip-attack' vulnerabilty addressed by Marc? Any further comments or corrections will be greatly appreciated to clear my (maybe others? )doubts. Thanx in advance -k
Current thread:
- forged packets? Kelvin Fu (Oct 25)
- Re: forged packets? CyberPsychotic (Oct 24)
- Re: forged packets? Ryan Permeh (Oct 25)
- Re: forged packets? Ron DuFresne (Oct 26)
- Re: forged packets? ctor (Oct 25)
- ICQ 2000 Elias Levy (Oct 25)
- Re: ICQ 2000 Blue Boar (Oct 25)
- Re: ICQ 2000 Sean Burford (Oct 25)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- Re: ICQ 2000 Blue Boar (Oct 25)
- icq2000 Brad Griffin (Oct 26)
- Re: ICQ 2000 Damm, Mike (Oct 26)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- FreeBSD listen() 3APA3A (Oct 27)