Re: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)

From: Yuri Kuzmenko (yuriat_private)
Date: Mon Dec 27 1999 - 11:31:15 PST

Next message: Zhodiac: "remote buffer overflow in miniSQL"

Previous message: Kragen Sitaker: "Re: Announcement: Solaris loadable kernel module backdoor"
Maybe in reply to: Yuri Kuzmenko: "BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)"
Next in thread: Alan Cox: "Re: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

Non-root users can change the SPEED of shaped interface. I.e., usual user
can run "shapecfg speed shaper0 XXX" with success result. In my case
non-root user increases speed of shaped interface to my proxy server. Yep,
NO ANY suid's on `which shapecfg`. It's has 0755 permission.

All if this means that traffic shaper in insecure because can be
configured by any user with shell account.

Second bug is this:

Documentation/networking/shaper.txt:
o	The shaper must be a module

But traffic shaper in "make menuconfig" can be compiled into kernel.
So, shaper which compiled into kernel simple not work. Next, I have
compiled shaper module "on fly" and insmod it (shaper  compiled into
kernel at this moment). Then I configure shaped interface and kernel
failed in "swapper" process after first use of this interface (simple
ping).

Maybe second bug is not a shaper issue, but "make menuconfig" should be
fixed.

// Yuri Kuzmenko, system administrator
// LIGA ONLINE - http://www.liga.kiev.ua

On Mon, 27 Dec 1999, Noam Rathaus wrote:

> Hi,
>
> Can you explain better this vulnerability?
>
> You are very vague (unclear) on what this security vulnerability consists
> of?
>
> What do you mean a non-root user can configure traffic shaper?
>
> How is this done? What does the 'make menuconfig' has to do with it?
>
> What do you mean by: "So, result is kernel trap when first use of shaped
> interface."?
>
> Thanks for the additional information.
> Noam Rathaus
> http://www.SecuriTeam.com
>
> ----- Original Message -----
> From: Yuri Kuzmenko <yuriat_private>
> To: <BUGTRAQat_private>
> Sent: Friday, December 24, 1999 11:33 AM
> Subject: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)
>
>
> > // Yuri Kuzmenko, system administrator
> > // LIGA ONLINE - http://www.liga.kiev.ua
> >
> > ---------- Forwarded message ----------
> > Date: Thu, 23 Dec 1999 19:49:11 +0200 (EET)
> > From: Yuri Kuzmenko <yuriat_private>
> > To: linux-kernelat_private
> > Subject: BUG? Non-root user can configure traffic shaper (2.2.13)
> >
> > Hi!
> >
> > Standard traffic shaper in 2.2.13 kernel is a very simple and cool thing.
> >
> > But speed of shapered device successfully configured by non-root user.
> > This is very bad...
> >
> > Also, traffic shaper works correctly only when it's compiled as a module.
> > But I can select in "make menuconfig" to compile shaper into kernel
> > (2.2.13). So, result is kernel trap when first use of shaped interface.
> >
> > // Yuri Kuzmenko, system administrator
> > // LIGA ONLINE - http://www.liga.kiev.ua
> >
>

Next message: Zhodiac: "remote buffer overflow in miniSQL"
Previous message: Kragen Sitaker: "Re: Announcement: Solaris loadable kernel module backdoor"
Maybe in reply to: Yuri Kuzmenko: "BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)"
Next in thread: Alan Cox: "Re: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:37 PDT