xorl %eax, %eax

CVE-2010-0007: Linux kernel netfilter ebtables Missing Check

leave a comment »

This was a design flaw that was discovered by Florian Westphal. As Patrick McHardy said:

Unbelievable that this went unnoticed for so long.

And it’s true :P
So, ebtables (Ethernet Bridge Tables) is a popular kernel level filtering feature for Ethernet protocol rules (similar to iptables but on Ethernet level) and Florian Westphal discovered that in both getting and setting routines there was no check on user’s capabilities. This means that unprivileged users were able to manipulate the ebtables with no permission checks. To fix this, the following patch was applied:

@@ -1406,6 +1406,9 @@  static int do_ebt_set_ctl(struct sock *sk,
 	int ret;
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
 	switch(cmd) {
 		ret = do_replace(sock_net(sk), user, len);
@@ -1425,6 +1428,9 @@  static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 	struct ebt_replace tmp;
 	struct ebt_table *t;
+	if (!capable(CAP_NET_ADMIN))
+		return -EPERM;
 	if (copy_from_user(&tmp, user, sizeof(tmp)))
 		return -EFAULT;

It adds the missing checks on the two routines responsible for setting and getting rules from the tables.

Written by xorl

January 14, 2010 at 04:28

Posted in linux, vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s