From owner-freebsd-bugs@FreeBSD.ORG  Thu Dec 28 13:30:16 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 77FB516A417
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 28 Dec 2006 13:30:16 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 57DA213C47E
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 28 Dec 2006 13:30:16 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kBSDUGs1079674
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 28 Dec 2006 13:30:16 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kBSDUGxU079672;
	Thu, 28 Dec 2006 13:30:16 GMT (envelope-from gnats)
Resent-Date: Thu, 28 Dec 2006 13:30:16 GMT
Resent-Message-Id: <200612281330.kBSDUGxU079672@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Philipp Wuensche<cryx-freebsd@h3q.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3041A16A500
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 28 Dec 2006 13:22:13 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 0859713C48C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 28 Dec 2006 13:22:13 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id kBSDMCBa084359
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Dec 2006 13:22:12 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id kBSDMCdY084358;
	Thu, 28 Dec 2006 13:22:12 GMT (envelope-from nobody)
Message-Id: <200612281322.kBSDMCdY084358@www.freebsd.org>
Date: Thu, 28 Dec 2006 13:22:12 GMT
From: Philipp Wuensche<cryx-freebsd@h3q.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.0
Cc: 
Subject: conf/107278: Possible DoS when using the jail_interface option in
	rc.conf introduced with 6.2
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Dec 2006 13:30:16 -0000


>Number:         107278
>Category:       conf
>Synopsis:       Possible DoS when using the jail_interface option in rc.conf introduced with 6.2
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 28 13:30:15 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Philipp Wuensche
>Release:        6.2-RC2
>Organization:
>Environment:
FreeBSD deny.h3q.com 6.2-RC2 FreeBSD 6.2-RC2 #18: Sun Dec 24 15:10:47 UTC 2006     root@deny.h3q.com:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
When a jail is configured with the jail_interface option in rc.conf,
rc.d/jail will automaticly configure and unconfigure the ipaddr-alias
for the jail when starting and stopping it.

There is a routine which is called if the jail fails to start which
unconfigures the ipaddr-alias from the network interface. The jail_ip
variables in this routine is wrong and therefore empty, leading to
ifconfig getting called without a specified ipaddr. and therefore
unconfiguring the first ipaddr. of the interface.

This could lead to a DoS attack onto the system from within the jail
removing the first ipaddr. on the network interface. Most of the time,
this ipaddr. is used for access to the FreeBSD system or the
ipaddr-alias used to reach the default-router.

(I already mentioned this to the secteam and we agreed to open just an PR because it is already mentioned on the freebsd-stable and -rc mailinglists.)
>How-To-Repeat:
Configure a jail on a FreeBSD 6.2-RC2 system with at least two
ipaddr-aliases on the network interface, configure this network
interface in the jail_interface option and try to start the jail with an
syntax error within the jails rc.conf.
>Fix:
--- /usr/src/etc/rc.d/jail      Tue Jun  6 15:04:39 2006
+++ /etc/rc.d/jail      Sun Dec 24 13:18:34 2006
@@ -229,7 +229,7 @@
                        else
                                jail_umount_fs
                                if [ -n "${jail_interface}" ]; then
-                                       ifconfig ${jail_interface} -alias ${jail_ip}
+                                       ifconfig ${_interface} -alias ${_ip}
                                fi
                                echo " cannot start jail \"${_jail}\": "
                                tail +2 ${_tmp_jail}
>Release-Note:
>Audit-Trail:
>Unformatted: