Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 74482

Summary: sys-apps/usermode-utilities-20040406: uml_net slip_down() fails to check permissions
Product: Gentoo Security Reporter: Sascha Silbe <sascha-gentoo-bugzilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system, christian.hartmann, johnm, kernel, tantive
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Sascha Silbe 2004-12-15 05:29:47 UTC 
The following advisory from securesoftware@list.cr.yp.to is for an older version of uml-utilities, but I've verified that it still works:

Date: 15 Dec 2004 08:32:41 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
Subject: [local] [kill] uml-utilities 20030903 uml_net slip_down() fails to check
+permissions
To: securesoftware@list.cr.yp.to,
        user-mode-linux-devel@lists.sourceforge.net
X-HELOcheck: OK: FQDN
Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm
Mail-Followup-To: securesoftware@list.cr.yp.to,
        user-mode-linux-devel@lists.sourceforge.net
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.

Danny Lungstrom, a student in my Fall 2004 UNIX Security Holes course,
has discovered that uml_net, when installed setuid root (as is normal),
allows any local user to type

   ./uml_net 4 slip down eth0

to take down the computer's Ethernet connection. The connection stays
down until the system administrator manually brings it back up. I'm
publishing this notice, but all the discovery credits should be assigned
to Lungstrom.

The underlying bug is that, in slip.c, slip_down() has no idea whether
the user is actually allowed to take down the specified interface.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-12-15 05:57:44 UTC 
Sascha, thanks for entering all these and verifying this one :)
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 07:02:59 UTC 
======================================================
Candidate: CAN-2004-1295
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1295
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/uml-utilites.txt

The slip_down function in slip.c for the uml_net program in
uml-utilities 20030903, when uml_net is installed setuid root, does
not verify whether the calling user has sufficient permission to
disable an interface, which allows local users to cause a denial of
service (network service disabled).
======================================================
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-12-28 04:46:40 UTC 
Start of discussion on the fix on uml-devel @
http://marc.theaimsgroup.com/?t=110309975100003&r=1&w=2
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-15 07:53:44 UTC 
Upstream just published patches :
http://marc.theaimsgroup.com/?l=user-mode-linux-devel&m=111017058101508&w=2

Time for us to bump.
Ccing base-system (listed in metadata.xml, sorry) and tantive (last bumper).
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-03-22 14:02:27 UTC 
johnm: did you have time to look into this ?
Comment 6 John Mylchreest (RETIRED) gentoo-dev 2005-04-13 08:13:08 UTC 
fixed in cvs.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-04-13 08:17:58 UTC 
Stable on all affected arches... security please vote on GLSA.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-04-15 00:52:50 UTC 
1/2 vote NO
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-15 00:59:50 UTC 
I vote NO.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-04-15 01:09:49 UTC 
Closed without GLSA, reopen if you disagree