Vulnerability Development mailing list archives
Re: Ports 0-1023?
From: Dan Kaminsky <dan () doxpara com>
Date: Thu, 04 Jul 2002 03:38:04 -0700
Blue Boar wrote:
Is there any point in needing to be root in order to allocate the low
ports on unix-like systems, anymore? Could we get away from having to
have some daemons even have a root stub in order to listen on a low
port? What would break, and what new holes would be created? Could
some sort of port ACL simply be used that says a particular UID can
allocate a particular range of ports?
Discuss.
BB
BB--I see your logic -- remote hosts can't depend on a root account actually serving the daemon(hell, they can't depend on a genuine TCP/IP implementation serving the daemon), so what's the point of requiring the host to actually be root? There are indeed many apps that have no requirement for root privs save for the low port, why not remove that requirement and drop the root req? Ah, but there's actually one very good reason to have the 0-1023 block around. If I'm a local user, and I discover a way to DoS a given service such that it drops the socket, I can hijack the port and all associated connections. There's a decent shit-ton of SMTP attacks that work this way(drop sendmail, start picking up all mail that travels through the host).
A standard root stub that *itself* executes arbitrary apps -- root owned, user operated*-- and then handles port forwarding to them would be a sufficiently generic solution...no kernel req's either. I'd be describing inetd, of course, except that the executable wouldn't spawn per connection...rather, it'd run a library preload against bind() on the child process and enforce some random port (on 127.0.0.1) as the actual listener. Then it'd be a trivial matter of bouncing incoming connections to the new local port. If a hijacker did show up, he wouldn't know which >1023 port to grab, and it wouldn't matter because the new bind would just pick something not already taken.
Hell, we could probably get people to run something like this just for the auto-daemon-restart capacity alone.
Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com * echo "kid tested, mother approved" | unix
Current thread:
- Re: Ports 0-1023?, (continued)
- Re: Ports 0-1023? Bruno Morisson (Jul 08)
- Re: Ports 0-1023? Martin Mačok (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Nate Amsden (Jul 04)
- Re: Ports 0-1023? gminick (Jul 04)
- Re: Ports 0-1023? Brian Hatch (Jul 04)
- Re: Ports 0-1023? Kent Crispin (Jul 04)
- Re: Ports 0-1023? David Schwartz (Jul 04)
- RE: Ports 0-1023? Amanda Jones (Jul 04)
- RE: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Dan Kaminsky (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? Sebastian Krahmer (Jul 05)
- Re: Ports 0-1023? robbe (Jul 04)
- Re: Ports 0-1023? Dave Aitel (Jul 04)
- Re: Ports 0-1023? Michal Zalewski (Jul 04)
- Re: Ports 0-1023? hicks (Jul 04)
- Re: Ports 0-1023? Juan M. Courcoul (Jul 04)
- Re: Ports 0-1023? Mark Ruth (Jul 04)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
- Re: Ports 0-1023? gminick (Jul 04)
- Re: Ports 0-1023? Bruno Morisson (Jul 04)
(Thread continues...)