Vulnerability Development mailing list archives
Re: ethernet cards & promisc mode
From: dr () DURSEC COM (Dragos Ruiu)
Date: Thu, 4 May 2000 23:02:53 -0700
Disabling promiscuous mode. I've only ever done it on the linux Tulip and 3c905 drivers with Mr. Becker's ubiquitous code, but it's pretty straightforward to disable promiscuous mode on those drivers, YMMV. (From memory, I think there was only one spot in the code you had to modify.) The next step would be to build a kernel with out module support, a good security move in any case IMHO. Unfortunately, in linux there are some drivers that will only work as modules - I got bit by one once and I don't even remember what it was but I think that's fairly rare and who knows, maybe those have been fixed. I think having to reboot and replacing the kernel adds a significant level of complexity to exploits, but I would love to hear evidence to the contrary. cheers, --dr I'm busy up with our conference next week, but I can probably dig up some old patches after next week if someone is interested. On Thu, 04 May 2000, Granquist, Lamont wrote:
Disabling capabilities (e.g. CAP_KILL CAP_LINUX_IMMUTABLE CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_TTY_CONFIG) should go a long way towards preventing these kinds of attacks. On Thu, 4 May 2000, C.J. Oster wrote:I'm fairly sure it's a driver issue, not the card allowing you to do so or not. You could always take the kernel module and turn off it's ability to enter promisc mode. You may have to hack the ethernet layer also. Promisc mode just means the driver stops checking it's hardware address against the destination address, so I belive that this is a driver issue. You can only enter promisc mode as root anyway, so if an attacker got that far, nothing prevents him from building a working driver and using that. You could force the attacker to build an entire kernel and reboot the machine by building the card driver into the kernel rather than a module, but one can still work around that as well.
On Wed, 3 May 2000, Security Team wrote:are there any ethernet cards on the market that work well with linux, that dont allow you to go into promisc mode?
-- dursec.com / kyx.net - we're from the future http://www.dursec.com learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD Lance Spitzner/Sun, Fyodor Yarochkin/KALUG, Max Vision/whitehats.com
Current thread:
- Re: ethernet cards & promisc mode, (continued)
- Re: ethernet cards & promisc mode C.J. Oster (May 04)
- Re: ethernet cards & promisc mode Stuart Henderson (May 04)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 04)
- Help me audit a mail filter in C, please? Bennett Todd (May 04)
- Re: ethernet cards & promisc mode David LaPorte (May 04)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 05)
- Re: ethernet cards & promisc mode Bluefish (May 07)
- "I don't think I really love you" Michal Zalewski (May 07)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 07)
- Possible new strain of [CENSORED] Blue Boar (May 05)
- Re: ethernet cards & promisc mode Dragos Ruiu (May 04)
- Opportunist? Blue Boar (May 04)
- Re: Opportunist? Andreas Ferber (May 05)
- Reminder: MaxClientRequestBuffer Marc (May 03)
- Re: Blind Remote Buffer Overflow Max Vision (May 02)
- Re: Blind Remote Buffer Overflow Blue Boar (May 02)
- Re: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Blind Remote Buffer Overflow Bluefish (May 02)