conf/107278: Possible DoS when using the jail_interface option in rc.conf introduced with 6.2

Philipp Wuensche cryx-freebsd at h3q.com
Thu Dec 28 05:30:16 PST 2006 

>Number:         107278
>Category:       conf
>Synopsis:       Possible DoS when using the jail_interface option in rc.conf introduced with 6.2
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 28 13:30:15 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Philipp Wuensche
>Release:        6.2-RC2
>Organization:
>Environment:
FreeBSD deny.h3q.com 6.2-RC2 FreeBSD 6.2-RC2 #18: Sun Dec 24 15:10:47 UTC 2006     root at deny.h3q.com:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
When a jail is configured with the jail_interface option in rc.conf,
rc.d/jail will automaticly configure and unconfigure the ipaddr-alias
for the jail when starting and stopping it.

There is a routine which is called if the jail fails to start which
unconfigures the ipaddr-alias from the network interface. The jail_ip
variables in this routine is wrong and therefore empty, leading to
ifconfig getting called without a specified ipaddr. and therefore
unconfiguring the first ipaddr. of the interface.

This could lead to a DoS attack onto the system from within the jail
removing the first ipaddr. on the network interface. Most of the time,
this ipaddr. is used for access to the FreeBSD system or the
ipaddr-alias used to reach the default-router.

(I already mentioned this to the secteam and we agreed to open just an PR because it is already mentioned on the freebsd-stable and -rc mailinglists.)
>How-To-Repeat:
Configure a jail on a FreeBSD 6.2-RC2 system with at least two
ipaddr-aliases on the network interface, configure this network
interface in the jail_interface option and try to start the jail with an
syntax error within the jails rc.conf.
>Fix:
--- /usr/src/etc/rc.d/jail      Tue Jun  6 15:04:39 2006
+++ /etc/rc.d/jail      Sun Dec 24 13:18:34 2006
@@ -229,7 +229,7 @@
                        else
                                jail_umount_fs
                                if [ -n "${jail_interface}" ]; then
-                                       ifconfig ${jail_interface} -alias ${jail_ip}
+                                       ifconfig ${_interface} -alias ${_ip}
                                fi
                                echo " cannot start jail \"${_jail}\": "
                                tail +2 ${_tmp_jail}
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list