Bugtraq mailing list archives

Re: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)

From: yuri () CS LIGA KIEV UA (Yuri Kuzmenko)
Date: Mon, 27 Dec 1999 21:31:15 +0200


Hi!

Non-root users can change the SPEED of shaped interface. I.e., usual user
can run "shapecfg speed shaper0 XXX" with success result. In my case
non-root user increases speed of shaped interface to my proxy server. Yep,
NO ANY suid's on `which shapecfg`. It's has 0755 permission.

All if this means that traffic shaper in insecure because can be
configured by any user with shell account.

Second bug is this:

Documentation/networking/shaper.txt:
o       The shaper must be a module

But traffic shaper in "make menuconfig" can be compiled into kernel.
So, shaper which compiled into kernel simple not work. Next, I have
compiled shaper module "on fly" and insmod it (shaper  compiled into
kernel at this moment). Then I configure shaped interface and kernel
failed in "swapper" process after first use of this interface (simple
ping).

Maybe second bug is not a shaper issue, but "make menuconfig" should be
fixed.

// Yuri Kuzmenko, system administrator
// LIGA ONLINE - http://www.liga.kiev.ua

On Mon, 27 Dec 1999, Noam Rathaus wrote:

Hi,

Can you explain better this vulnerability?

You are very vague (unclear) on what this security vulnerability consists
of?

What do you mean a non-root user can configure traffic shaper?

How is this done? What does the 'make menuconfig' has to do with it?

What do you mean by: "So, result is kernel trap when first use of shaped
interface."?

Thanks for the additional information.
Noam Rathaus
http://www.SecuriTeam.com

----- Original Message -----
From: Yuri Kuzmenko <yuri () CS LIGA KIEV UA>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Friday, December 24, 1999 11:33 AM
Subject: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd)

// Yuri Kuzmenko, system administrator
// LIGA ONLINE - http://www.liga.kiev.ua

---------- Forwarded message ----------
Date: Thu, 23 Dec 1999 19:49:11 +0200 (EET)
From: Yuri Kuzmenko <yuri () cs liga kiev ua>
To: linux-kernel () vger rutgers edu
Subject: BUG? Non-root user can configure traffic shaper (2.2.13)

Hi!

Standard traffic shaper in 2.2.13 kernel is a very simple and cool thing.

But speed of shapered device successfully configured by non-root user.
This is very bad...

Also, traffic shaper works correctly only when it's compiled as a module.
But I can select in "make menuconfig" to compile shaper into kernel
(2.2.13). So, result is kernel trap when first use of shaped interface.

// Yuri Kuzmenko, system administrator
// LIGA ONLINE - http://www.liga.kiev.ua

Current thread:

Re: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd) Yuri Kuzmenko (Dec 27)
- Re: BUG? Non-root user can configure traffic shaper (2.2.13) (fwd) Alan Cox (Dec 27)
- IBM NetStation/UnixWare local root exploit Brock Tellier (Dec 27)