Vulnerability Development mailing list archives

Re: ethernet cards & promisc mode

From: dr () DURSEC COM (Dragos Ruiu)
Date: Thu, 4 May 2000 23:02:53 -0700


Disabling promiscuous mode.

I've only ever done it on the linux Tulip and 3c905 drivers with Mr. Becker's
ubiquitous code, but it's pretty straightforward to disable promiscuous mode
on those drivers, YMMV.  (From memory, I think there was only one spot in the
code you had to modify.) The next step would be to build a kernel with out
module support, a good security move in any case IMHO.  Unfortunately, in linux
there are some drivers that will only work as modules - I got bit by one once
and I don't even remember what it was but I think that's fairly rare and who
knows, maybe those have been fixed. I think having to reboot and replacing the
kernel adds a significant level of complexity to exploits, but I would love to
hear evidence to the contrary.

cheers,
--dr

I'm busy up with our conference next week, but I can probably dig up some old
patches after next week if someone is interested.

On Thu, 04 May 2000, Granquist, Lamont wrote:

Disabling capabilities (e.g. CAP_KILL CAP_LINUX_IMMUTABLE CAP_NET_ADMIN
CAP_NET_RAW CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_SYS_ADMIN
CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_TTY_CONFIG) should go a long way towards
preventing these kinds of attacks.

On Thu, 4 May 2000, C.J. Oster wrote:

I'm fairly sure it's a driver issue, not the card allowing you to do so or
not.  You could always take the kernel module and turn off it's ability to
enter promisc mode.  You may have to hack the ethernet layer also.
Promisc mode just means the driver stops checking it's hardware address
against the destination address, so I belive that this is a driver issue.
You can only enter promisc mode as root anyway, so if an attacker got that
far, nothing prevents him from building a working driver and using that.
You could force the attacker to build an entire kernel and reboot the
machine by building the card driver into the kernel rather than a module,
but one can still work around that as well.

On Wed, 3 May 2000, Security Team wrote:

are there any ethernet cards on the market that work well with linux, that
dont allow you
to go into promisc mode?


--
dursec.com / kyx.net - we're from the future                      http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver

Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld,
 Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD
   Lance Spitzner/Sun, Fyodor Yarochkin/KALUG, Max Vision/whitehats.com

Current thread:

Re: ethernet cards & promisc mode, (continued)
- - - Re: ethernet cards & promisc mode C.J. Oster (May 04)
    - Re: ethernet cards & promisc mode Stuart Henderson (May 04)
    - Re: ethernet cards & promisc mode Granquist, Lamont (May 04)
    - Help me audit a mail filter in C, please? Bennett Todd (May 04)
    - Re: ethernet cards & promisc mode David LaPorte (May 04)
    - Re: ethernet cards & promisc mode Granquist, Lamont (May 05)
    - Re: ethernet cards & promisc mode Bluefish (May 07)
    - "I don't think I really love you" Michal Zalewski (May 07)
    - Re: ethernet cards & promisc mode Granquist, Lamont (May 07)
    - Possible new strain of [CENSORED] Blue Boar (May 05)
    - Re: ethernet cards & promisc mode Dragos Ruiu (May 04)
    - Opportunist? Blue Boar (May 04)
    - Re: Opportunist? Andreas Ferber (May 05)
    - Reminder: MaxClientRequestBuffer Marc (May 03)
    - Re: Blind Remote Buffer Overflow Max Vision (May 02)
    - Re: Blind Remote Buffer Overflow Blue Boar (May 02)
    - Re: Blind Remote Buffer Overflow Bluefish (May 03)
    - Re: Blind Remote Buffer Overflow Bluefish (May 02)