COMMAND

    $Id: user-raw-IP,v 1.3 1999/10/22 08:33:10 schaefer Exp $

SYSTEMS AFFECTED

    Linux

PROBLEM

    Marc Schaefer found following with  the help of Alan COX  (for the
    fix) and of  Andreas Trottmann for  the work-around idea.   Forged
    packets can be send out from  a Linux system, for example for  NFS
    attacks  or   any  other   protocol  relying   on  addresses   for
    authentification, even when protected from the outside  interfaces
    by  firewalling  rules.   Most  of  the time, existing firewalling
    rules are bypassed.  This requires at least a shell account on the
    system.  Any local user can send any packet to any host from  most
    Linux default installations without  of the use of  any permission
    problem or suid flaw.   Basically, it corresponds to having  write
    only permissions to raw IP socket on the server machine.

    You are immune to this problem  if one (or more) of the  following
    is true:

        - you do not have local (shell) users
        - SLIP and PPP are  not compiled-in the kernel and  either are
          not available  in /lib/modules/*  as modules,  or are  never
          loaded and kerneld/kmod is not available.
        - you use deny-default  configuration for your input  firewall
          rules,  and  you  don't  have  accept  entries  for specific
          addresses or for unused ppp or slip interfaces (and the used
          ones are never unused or accept rules are safely removed  at
          shutdown).
        - you use 2.3.18 with ac6 patch (or higher).
        - you use 2.2.13pre15 (or higher).

    A working  exploit exists  and has  been tested  on current  Linux
    distributions. It is possible that an exploit be posted some  time
    in the future (or that someone reads this and does it by himself).

SOLUTION

    Possible workarounds:

        - Make so that SLIP and PPP support are not available
        - Use deny default policy  for input firewall, only allow  for
          specific  address  ranges  and  specific  interfaces.    For
          dynamic links (such as SLIP  or PPP), add an accept  at link
          creation time, and remove the entry when the link goes down.

    Fix:

        - For 2.3.x,  install 2.3.18 with  the ac6 patch  (or higher).
          Warning, this is a DEVELOPMENT kernel.
        - For 2.2.x, install 2.2.13pre15 or higher (e.g. 2.2.13).
        - At  this  time  no  fix  for  2.0.x. Please apply the  above
          mentionned workarounds.