From rneswold@ameritech.net  Sun Jun 16 23:10:48 2002
Return-Path: <rneswold@ameritech.net>
Received: from mailhost.chi1.ameritech.net (mailhost1-chcgil.chcgil.ameritech.net [206.141.192.67])
	by hub.freebsd.org (Postfix) with ESMTP id 3E7FF37B439
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 16 Jun 2002 23:10:29 -0700 (PDT)
Received: from harpo.neswold.local ([67.36.186.192])
          by mailhost.chi1.ameritech.net
          (InterMail vM.4.01.02.17 201-229-119) with ESMTP
          id <20020617061025.KCBG9337.mailhost.chi1.ameritech.net@harpo.neswold.local>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Mon, 17 Jun 2002 01:10:25 -0500
Received: by harpo.neswold.local (Postfix, from userid 1000)
	id 074F61A9E1; Mon, 17 Jun 2002 01:10:24 -0500 (CDT)
Message-Id: <20020617061024.074F61A9E1@harpo.neswold.local>
Date: Mon, 17 Jun 2002 01:10:24 -0500 (CDT)
From: Rich Neswold <rneswold@ameritech.net>
Reply-To: Rich Neswold <rneswold@ameritech.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: firewall security loophole
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         39396
>Category:       kern
>Synopsis:       firewall security loophole
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 16 23:20:01 PDT 2002
>Closed-Date:    Wed Oct 01 00:07:52 PDT 2003
>Last-Modified:  Wed Oct 01 00:07:52 PDT 2003
>Originator:     Rich Neswold
>Release:        FreeBSD 4.5-RC i386
>Organization:
>Environment:
System: FreeBSD harpo.neswold.local 4.5-RC FreeBSD 4.5-RC #1: Sun Jan 27 02:26:46 CST 2002 toor@groucho.neswold.local:/usr/obj/usr/src/sys/HARPO i386

>Description:

    If you use the FreeBSD firewall and set your kernel security level to 3 (so
    that firewall rules cannot be changed), a malicious user that gained root
    access can still circumvent the firewall by disabling it via kernel
    variables (i.e. net.inet.ip.fw.enable = 0)

>How-To-Repeat:

>Fix:

    The attached diffs change the firewall enable variable to have "secure"
    semantics.

Index: sys/netinet/ip_fw.c
===================================================================
RCS file: /home/FreeBSD/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.33
diff -u -w -b -r1.131.2.33 ip_fw.c
--- sys/netinet/ip_fw.c 1 May 2002 21:30:05 -0000       1.131.2.33
+++ sys/netinet/ip_fw.c 3 May 2002 16:49:02 -0000
@@ -95,7 +95,7 @@
 
 #ifdef SYSCTL_NODE
 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
     &fw_enable, 0, "Enable ipfw");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, 
     &fw_one_pass, 0, 


Index: sys/netinet6/ip6_fw.c
===================================================================
RCS file: /home/FreeBSD/src/sys/netinet6/ip6_fw.c,v
retrieving revision 1.2.2.9
diff -u -w -b -r1.2.2.9 ip6_fw.c
--- sys/netinet6/ip6_fw.c       28 Apr 2002 05:40:27 -0000      1.2.2.9
+++ sys/netinet6/ip6_fw.c       3 May 2002 16:49:05 -0000
@@ -116,7 +116,7 @@
 #ifdef SYSCTL_NODE
 SYSCTL_DECL(_net_inet6_ip6);
 SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, enable, CTLFLAG_RW,
+SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
        &ip6_fw_enable, 0, "Enable ip6fw");
 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, debug, CTLFLAG_RW, &fw6_debug, 0, "");
 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw6_verbose, 0, "");

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: cjc 
State-Changed-When: Mon Jun 17 22:00:11 PDT 2002 
State-Changed-Why:  
Yeah, yeah, this is an ancient and well known security hole. But since 
securelevel(8) is kinda a joke, no one has bothered to fix it. It's 
simple enough to get this category of sysctl(8) knobs locked up. 


Responsible-Changed-From-To: freebsd-bugs->cjc 
Responsible-Changed-By: cjc 
Responsible-Changed-When: Mon Jun 17 22:00:11 PDT 2002 
Responsible-Changed-Why:  
I'll take this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39396 
State-Changed-From-To: analyzed->patched 
State-Changed-By: cjc 
State-Changed-When: Sat Aug 24 20:50:55 PDT 2002 
State-Changed-Why:  
Patched in -CURRENT. MFC after a week. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39396 

From: Colin Percival <colin.percival@wadham.ox.ac.uk>
To: freebsd-gnats-submit@FreeBSD.org, rneswold@ameritech.net,
	cjc@FreeBSD.org
Cc:  
Subject: Re: kern/39396: firewall security loophole
Date: Tue, 04 Feb 2003 21:52:27 +0000

    It looks like the patch to ip6_fw.c was applied, but the patch to 
 ip_fw.c wasn't -- and the MFC is about six months overdue as well.
    Could someone (cjc?) deal with this?
 
 Thanks,
 Colin Percival
 
Responsible-Changed-From-To: cjc->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Tue 30 Sep 2003 17:49:17 PDT 
Responsible-Changed-Why:  
I'll field this with RE and SO. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39396 
State-Changed-From-To: patched->closed 
State-Changed-By: bms 
State-Changed-When: Wed 1 Oct 2003 00:07:25 PDT 
State-Changed-Why:  
Approved by re (rwatson) and committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39396 
>Unformatted:
