Date: Mon, 4 Jan 1999 00:55:14 -0600 (CST)
From: Marc Santoro <ultima@snicker.emoti.com>
To: Paul.Russell@rustcorp.com.au, alan@lxorguk.ukuu.org.uk
Subject: ipchains security hole
Cc: security-audit@ferret.lmh.ox.ac.uk, ultima@snicker.emoti.com
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--8323328-1928208570-915428083=:5383
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.02.9901032334531.5383@localhost>
Description:
The Linux ipfwchains code allows any user to access the complete
list of firewall rules if /proc is mounted. The list of firewall rules
would be extremely useful for a system attack.
Exploit:
(as any user)
$ cat /proc/net/ip_fwchains
$ cat /proc/net/ip_fwnames
Fix:
Apply the attached kernel patch.
Works against 2.1.131 & 2.2.0-pre4, YMMV
Tested against:
Linux kernel versions 2.1.131->2.2.0-pre4 (Not regression tested)
--8323328-1928208570-915428083=:5383
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ip_fw.diff"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.02.9901040055140.384@localhost>
Content-Description:
Content-Disposition: attachment; filename="ip_fw.diff"
KioqIGlwX2Z3LmMuYnVnZ3kJU3VuIEphbiAgMyAyMzowODo1NiAxOTk5DQot
LS0gaXBfZncuYwlNb24gSmFuICA0IDAwOjUzOjQxIDE5OTkNCioqKioqKioq
KioqKioqKg0KKioqIDI5LDM0ICoqKioNCi0tLSAyOSwzNyAtLS0tDQogICAq
IDEtTWF5LTE5OTg6ICBSZW1vdmUgY2FjaGluZyBvZiBkZXZpY2UgcG9pbnRl
ci4NCiAgICogMTItTWF5LTE5OTg6IEFsbG93IHRpbnkgZnJhZ21lbnQgY2Fz
ZSBmb3IgVENQL1VEUC4NCiAgICogMTUtTWF5LTE5OTg6IFRyZWF0IHNob3J0
IHBhY2tldHMgYXMgZnJhZ21lbnRzLCBkb24ndCBqdXN0IGJsb2NrLg0KKyAg
KiAzLUphbi0xOTk5OiAgRml4ZWQgc2VyaW91cyBwcm9jZnMgc2VjdXJpdHkg
aG9sZSAtLSB1c2VycyBzaG91bGQgbmV2ZXINCisgICogICAgICAgICAgICAg
IGJlIGFsbG93ZWQgdG8gdmlldyB0aGUgY2hhaW5zIQ0KKyAgKiAgICAgICAg
ICAgICAgTWFyYyBTYW50b3JvIDx1bHRpbWFAc25pY2tlci5lbW90aS5jb20+
DQogICAqLw0KICANCiAgLyoNCioqKioqKioqKioqKioqKg0KKioqIDE2Njcs
MTY3OSAqKioqDQogICNpZmRlZiBDT05GSUdfUFJPQ19GUwkJDQogIHN0YXRp
YyBzdHJ1Y3QgcHJvY19kaXJfZW50cnkgcHJvY19uZXRfaXBmd2NoYWluc19j
aGFpbiA9IHsNCiAgCVBST0NfTkVUX0lQRldfQ0hBSU5TLCBzaXplb2YoSVBf
RldfUFJPQ19DSEFJTlMpLTEsIA0KISAJSVBfRldfUFJPQ19DSEFJTlMsIFNf
SUZSRUcgfCBTX0lSVUdPIHwgU19JV1VTUiwgMSwgMCwgMCwNCiAgCTAsICZw
cm9jX25ldF9pbm9kZV9vcGVyYXRpb25zLCBpcF9jaGFpbl9wcm9jaW5mbw0K
ICB9Ow0KICANCiAgc3RhdGljIHN0cnVjdCBwcm9jX2Rpcl9lbnRyeSBwcm9j
X25ldF9pcGZ3Y2hhaW5zX2NoYWlubmFtZXMgPSB7DQogIAlQUk9DX05FVF9J
UEZXX0NIQUlOX05BTUVTLCBzaXplb2YoSVBfRldfUFJPQ19DSEFJTl9OQU1F
UyktMSwgDQohIAlJUF9GV19QUk9DX0NIQUlOX05BTUVTLCBTX0lGUkVHIHwg
U19JUlVHTyB8IFNfSVdVU1IsIDEsIDAsIDAsDQogIAkwLCAmcHJvY19uZXRf
aW5vZGVfb3BlcmF0aW9ucywgaXBfY2hhaW5fbmFtZV9wcm9jaW5mbw0KICB9
Ow0KICANCi0tLSAxNjcwLDE2ODIgLS0tLQ0KICAjaWZkZWYgQ09ORklHX1BS
T0NfRlMJCQ0KICBzdGF0aWMgc3RydWN0IHByb2NfZGlyX2VudHJ5IHByb2Nf
bmV0X2lwZndjaGFpbnNfY2hhaW4gPSB7DQogIAlQUk9DX05FVF9JUEZXX0NI
QUlOUywgc2l6ZW9mKElQX0ZXX1BST0NfQ0hBSU5TKS0xLCANCiEgCUlQX0ZX
X1BST0NfQ0hBSU5TLCBTX0lGUkVHIHwgU19JUlVTUiB8IFNfSVdVU1IsIDEs
IDAsIDAsDQogIAkwLCAmcHJvY19uZXRfaW5vZGVfb3BlcmF0aW9ucywgaXBf
Y2hhaW5fcHJvY2luZm8NCiAgfTsNCiAgDQogIHN0YXRpYyBzdHJ1Y3QgcHJv
Y19kaXJfZW50cnkgcHJvY19uZXRfaXBmd2NoYWluc19jaGFpbm5hbWVzID0g
ew0KICAJUFJPQ19ORVRfSVBGV19DSEFJTl9OQU1FUywgc2l6ZW9mKElQX0ZX
X1BST0NfQ0hBSU5fTkFNRVMpLTEsIA0KISAJSVBfRldfUFJPQ19DSEFJTl9O
QU1FUywgU19JRlJFRyB8IFNfSVJVU1IgfCBTX0lXVVNSLCAxLCAwLCAwLA0K
ICAJMCwgJnByb2NfbmV0X2lub2RlX29wZXJhdGlvbnMsIGlwX2NoYWluX25h
bWVfcHJvY2luZm8NCiAgfTsNCiAgDQo=
--8323328-1928208570-915428083=:5383--
