CVE-2010-0007: Linux kernel netfilter ebtables Missing Check
This was a design flaw that was discovered by Florian Westphal. As Patrick McHardy said:
Unbelievable that this went unnoticed for so long.
And it’s true :P
So, ebtables (Ethernet Bridge Tables) is a popular kernel level filtering feature for Ethernet protocol rules (similar to iptables but on Ethernet level) and Florian Westphal discovered that in both getting and setting routines there was no check on user’s capabilities. This means that unprivileged users were able to manipulate the ebtables with no permission checks. To fix this, the following patch was applied:
@@ -1406,6 +1406,9 @@ static int do_ebt_set_ctl(struct sock *sk,
{
int ret;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
switch(cmd) {
case EBT_SO_SET_ENTRIES:
ret = do_replace(sock_net(sk), user, len);
@@ -1425,6 +1428,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
struct ebt_replace tmp;
struct ebt_table *t;
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
if (copy_from_user(&tmp, user, sizeof(tmp)))
return -EFAULT;
It adds the missing checks on the two routines responsible for setting and getting rules from the tables.
