From karl@Codebase.mcs.net  Tue Sep 10 11:39:18 1996
Received: from Codebase.mcs.net (codebase.mcs.net [192.160.127.89])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA04938
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 10 Sep 1996 11:39:18 -0700 (PDT)
Received: (from root@localhost) by Codebase.mcs.net (8.7.5/8.6.12) id NAA17069; Tue, 10 Sep 1996 13:39:17 -0500 (CDT)
Message-Id: <199609101839.NAA17069@Codebase.mcs.net>
Date: Tue, 10 Sep 1996 13:39:17 -0500 (CDT)
From: Karl <karl@Codebase.mcs.net>
Reply-To: karl@Codebase.mcs.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: Security problem with routed - patch to fix
X-Send-Pr-Version: 3.2

>Number:         1596
>Category:       bin
>Synopsis:       routed allows writing to any system file
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    wollman
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 10 11:40:00 PDT 1996
>Closed-Date:    Mon Sep 16 10:10:50 PDT 1996
>Last-Modified:  Tue Nov 27 19:33:07 PST 2001
>Originator:     Karl
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
MCSNet
>Environment:

	Any user operating routed

>Description:

	Any user anywhere on the Internet can potentially write to any file
	on the system as root through the use of the RIP TRACE facility

>How-To-Repeat:

	Send UDP packet containing RIP TRACE request with the requested
	filename.

>Fix:

The following diff removes the RIP TRACE facility unless the define 
"INSECURE" is present at the time of the build.  There is no known way
to safely permit this trace activity to take place.

MCSNet was not the originator of discovery for this problem.

Index: input.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/routed/input.c,v
retrieving revision 1.4
diff -r1.4 input.c
288a289
> #ifdef	INSECURE
310c311
< 
---
> #endif


-- Karl Denninger
karl@mcs.net
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: wollman 
State-Changed-When: Tue Sep 10 13:30:01 PDT 1996 
State-Changed-Why:  
I've looked into it and am communicating with the code's author. 


Responsible-Changed-From-To: freebsd-bugs->wollman 
Responsible-Changed-By: wollman 
Responsible-Changed-When: Tue Sep 10 13:30:01 PDT 1996 
Responsible-Changed-Why:  
My area. 
State-Changed-From-To: analyzed->closed 
State-Changed-By: wollman 
State-Changed-When: Mon Sep 16 10:10:50 PDT 1996 
State-Changed-Why:  
Feature disabled in latest version of routed. 
>Unformatted:
