4617029 1999-12-27 19:46 /35 rader/ Postmaster
Mottagare: Bugtraq (import) <9041>
Ärende: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.9912241133010.18575-100000@cs.liga.kiev.ua>
Date: Fri, 24 Dec 1999 11:33:17 +0200
Reply-To: Yuri Kuzmenko <yuri@CS.LIGA.KIEV.UA>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Yuri Kuzmenko <yuri@CS.LIGA.KIEV.UA>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
// Yuri Kuzmenko, system administrator
// LIGA ONLINE - http://www.liga.kiev.ua
---------- Forwarded message ----------
Date: Thu, 23 Dec 1999 19:49:11 +0200 (EET)
From: Yuri Kuzmenko <yuri@cs.liga.kiev.ua>
To: linux-kernel@vger.rutgers.edu
Subject: BUG? Non-root user can configure traffic shaper (2.2.13)
Hi!
Standard traffic shaper in 2.2.13 kernel is a very simple and cool
thing.
But speed of shapered device successfully configured by non-root user.
This is very bad...
Also, traffic shaper works correctly only when it's compiled as a
module. But I can select in "make menuconfig" to compile shaper into
kernel (2.2.13). So, result is kernel trap when first use of shaped
interface.
// Yuri Kuzmenko, system administrator
// LIGA ONLINE - http://www.liga.kiev.ua
(4617029) ------------------------------------------(Ombruten)
4618014 1999-12-28 01:40 /95 rader/ Postmaster
Mottagare: Bugtraq (import) <9056>
Ärende: Re: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.9912272114040.1607-100000@cs.liga.kiev.ua>
Date: Mon, 27 Dec 1999 21:31:15 +0200
Reply-To: Yuri Kuzmenko <yuri@CS.LIGA.KIEV.UA>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Yuri Kuzmenko <yuri@CS.LIGA.KIEV.UA>
X-To: Noam Rathaus <noamr@securiteam.com>
X-cc: Aviram Jenik <aviram@securiteam.com>
bugtraq@securityfocus.com, linux-kernel@vger.rutgers.edu
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <003d01bf509c$286fd080$0600a8c0@noambs>
Hi!
Non-root users can change the SPEED of shaped interface. I.e., usual
user can run "shapecfg speed shaper0 XXX" with success result. In my
case non-root user increases speed of shaped interface to my proxy
server. Yep, NO ANY suid's on `which shapecfg`. It's has 0755
permission.
All if this means that traffic shaper in insecure because can be
configured by any user with shell account.
Second bug is this:
Documentation/networking/shaper.txt:
o The shaper must be a module
But traffic shaper in "make menuconfig" can be compiled into kernel.
So, shaper which compiled into kernel simple not work. Next, I have
compiled shaper module "on fly" and insmod it (shaper compiled into
kernel at this moment). Then I configure shaped interface and kernel
failed in "swapper" process after first use of this interface (simple
ping).
Maybe second bug is not a shaper issue, but "make menuconfig" should
be fixed.
// Yuri Kuzmenko, system administrator
// LIGA ONLINE - http://www.liga.kiev.ua
On Mon, 27 Dec 1999, Noam Rathaus wrote:
> Hi,
>
> Can you explain better this vulnerability?
>
> You are very vague (unclear) on what this security vulnerability consists
> of?
>
> What do you mean a non-root user can configure traffic shaper?
>
> How is this done? What does the 'make menuconfig' has to do with it?
>
> What do you mean by: "So, result is kernel trap when first use of shaped
> interface."?
>
> Thanks for the additional information.
> Noam Rathaus
> http://www.SecuriTeam.com
>
> ----- Original Message -----
> From: Yuri Kuzmenko <yuri@CS.LIGA.KIEV.UA>
> To: <BUGTRAQ@SECURITYFOCUS.COM>
> Sent: Friday, December 24, 1999 11:33 AM
> Subject: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)
>
>
> > // Yuri Kuzmenko, system administrator
> > // LIGA ONLINE - http://www.liga.kiev.ua
> >
> > ---------- Forwarded message ----------
> > Date: Thu, 23 Dec 1999 19:49:11 +0200 (EET)
> > From: Yuri Kuzmenko <yuri@cs.liga.kiev.ua>
> > To: linux-kernel@vger.rutgers.edu
> > Subject: BUG? Non-root user can configure traffic shaper (2.2.13)
> >
> > Hi!
> >
> > Standard traffic shaper in 2.2.13 kernel is a very simple and cool thing.
> >
> > But speed of shapered device successfully configured by non-root user.
> > This is very bad...
> >
> > Also, traffic shaper works correctly only when it's compiled as a module.
> > But I can select in "make menuconfig" to compile shaper into kernel
> > (2.2.13). So, result is kernel trap when first use of shaped interface.
> >
> > // Yuri Kuzmenko, system administrator
> > // LIGA ONLINE - http://www.liga.kiev.ua
> >
>
(4618014) ------------------------------------------(Ombruten)
4620253 1999-12-28 22:47 /25 rader/ Postmaster
Mottagare: Bugtraq (import) <9062>
Ärende: Re: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Content-Type: text
Message-ID: <E122khv-0008Sd-00@the-village.bc.nu>
Date: Tue, 28 Dec 1999 00:41:45 +0000
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: yuri@CS.LIGA.KIEV.UA
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9912272114040.1607-100000@cs.liga.kiev.ua> fro
"Yuri Kuzmenko" at Dec 27, 99 09:31:15 pm
> Non-root users can change the SPEED of shaped interface. I.e., usual user
> can run "shapecfg speed shaper0 XXX" with success result. In my case
> non-root user increases speed of shaped interface to my proxy server. Yep,
> NO ANY suid's on `which shapecfg`. It's has 0755 permission.
>
This was reported a while ago and is already fixed in 2.2.14pre. Pick
up the patch from that to drivers/net/shaper.c. It is the only change
needed.
Alan
(4620253) ------------------------------------------(Ombruten)