Red Hat Bugzilla – Bug 83685
uml_net executable allows users to do bad things
Last modified: 2007-04-18 12:50:48 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22smp i686; en-US; m18)
Description of problem:
The uml_net binary that installs as part of the kernel-utils package in redhat 8
is setuid root.
It can be crashed with a negative version number (doesn't look exploitable to
me), and can be used by local (unpriveleged) users to up/down certain
interfaces, add and remove arp entries and routes, and put interfaces in and out
of promiscuous mode.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Check eth0 is not in promisc mode
2. As a local user try 'uml_net 4 ethertap eth0 crap promisc'
3. Re-check step 1
Actual Results: IF goes into promisc mode
Expected Results: Permission denied?
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.