Re: forged packets?

[rrpermeh () RCONNECT COM (Ryan Permeh)]

Root has always been able to spoof ip packets, and i beleive that you
must
be root to run nmap in -D mode.  -D mode will send "EXTRA" packets, to
mask
where you are, but you still need your packets to go in, unless you are
decoying as someone on a sniffable segment that you have access to.
This bug is due to world writeable IP device permissions, allowing
anyone
to write wahtever they want to the device.  This bug seems to be in the
ppp/slip code, since the person who starts the ppp/slip session is
listed
as owner of the local device and can write directly to it.    you do
need
root access to legitimately "spoof" packets in any normal mode.  This
can
be fixed by using default deny in firewall rules, or patching ppp to
have
certain lmits, as i bleeive that is what the patches listed at the
bottom
of the post will do.    The reason arbitrary people can spoof packets is
due to the fact that arbitrary people can own networking devices, due to
how ppp works.  otherwise, you couldn't do this.
Ryan

Kelvin Fu wrote:

> All,
>
> Forgive me if Im asking a stupid question this issue has been bothering
> for quite some time now. Anyhow, here goes.
>
> Marc SCHAEFER recently sent a message titled ' Local user can send
> forged packets' to bugtraq. I quote :
>
> "
> NAME
>    user-rawip-attack
>
> ABSTRACT
>    Forged packets can be send out from a Linux system, for example
>    for NFS attacks or any other protocol relying on addresses for
>    authentification, even when protected from the outside interfaces
>    by firewalling rules. Most of the time, existing firewalling
>    rules are bypassed. This requires at least a shell account on the
>    system.
>
> IMPACT
>    Any local user can send any packet to any host from most Linux
> default
>    installations without of the use of any permission problem or
>    suid flaw. Basically, it corresponds to having write only permissions
>    to raw IP socket on the server machine."
>
> AFAIK, a local user ( root?) on a linux system if running nmap is able
> to perform decoy scans with the -D option. This option enables a user to
> 'spoof' his/her IP address to that of another host which will result in
> the spoofed Ip to appear to be scanning the victim. If Im not wrong,
> doesnt this ability to be able to spoof IP  addresses coincide with the
> 'user-rawip-attack' vulnerabilty addressed by Marc?
>
> Any further comments or corrections will be greatly appreciated to clear
> my (maybe others? )doubts.
> Thanx in advance
>
> -k