1998-10-17 00:00:00 +00:00
|
|
|
SECURITY ISSUES RELATED TO MTR
|
|
|
|
|
2015-10-01 17:28:10 +00:00
|
|
|
mtr requires extra privileges to send custom packets, and there are
|
|
|
|
security implications from granting this.
|
|
|
|
|
|
|
|
There are several different ways to provide the privileges:
|
|
|
|
|
|
|
|
1. Add limited privileges on systems that support this. (Preferred.)
|
|
|
|
2. Run mtr as the root user.
|
|
|
|
3. Make mtr a setuid-root binary.
|
|
|
|
|
|
|
|
Details:
|
|
|
|
|
|
|
|
1. Add limited privileges on systems that support this.
|
|
|
|
|
|
|
|
Some operating systems allow binaries to be run with only the subset
|
|
|
|
of security privileges that are actually needed.
|
|
|
|
|
|
|
|
Linux:
|
|
|
|
On Linux, privileges are known as capabilities. The only additional
|
|
|
|
capability that mtr needs is cap_net_raw. To give this capability
|
|
|
|
to the mtr binary, run the following command as root:
|
|
|
|
|
|
|
|
# setcap cap_net_raw+ep mtr
|
|
|
|
|
|
|
|
|
|
|
|
2. Run mtr as the root user.
|
|
|
|
|
1998-10-28 00:00:00 +00:00
|
|
|
You can limit mtr usage to the root user by not putting a setuid bit
|
|
|
|
on the mtr binary. In that case, the security implications are
|
2015-10-01 17:28:10 +00:00
|
|
|
minimal.
|
1998-10-28 00:00:00 +00:00
|
|
|
|
|
|
|
|
2015-10-01 17:28:10 +00:00
|
|
|
3. Make mtr a setuid-root binary.
|
|
|
|
|
|
|
|
The mtr binary can be made setuid-root, which is what "make install"
|
|
|
|
does by default.
|
|
|
|
|
|
|
|
When mtr is installed as suid-root, some concern over security is
|
2013-08-07 10:41:18 +00:00
|
|
|
justified. Since version 0.21, mtr does the following two things
|
1998-10-17 00:00:00 +00:00
|
|
|
after it is launched:
|
|
|
|
|
|
|
|
* mtr requests a pair of raw sockets from the kernel.
|
2013-08-07 10:41:18 +00:00
|
|
|
* mtr drops root privileges by setting the effective uid to match
|
|
|
|
uid or the user calling mtr.
|
1998-10-17 00:00:00 +00:00
|
|
|
|
|
|
|
See main() in mtr.c and net_preopen() in net.c for the details of this
|
2013-08-07 10:41:18 +00:00
|
|
|
process. Note that no code from GTK+ or curses is executed before
|
|
|
|
dropping root privileges.
|
1998-10-17 00:00:00 +00:00
|
|
|
|
|
|
|
This should severely limit the possibilities of using mtr to breach
|
2016-01-04 11:42:23 +00:00
|
|
|
system security. This means the worst case scenario is as follows:
|
1998-10-17 00:00:00 +00:00
|
|
|
|
|
|
|
Due to some oversight in the mtr code, a malicious user is able to
|
|
|
|
overrun one of mtr's internal buffers with binary code that is
|
|
|
|
eventually executed. The malicious user is still not able to read
|
|
|
|
from or write to any system files which they wouldn't normally have
|
2016-01-04 11:42:23 +00:00
|
|
|
permission to read or write to, respectively. The only privilege
|
2013-08-07 10:41:18 +00:00
|
|
|
gained is access to the raw socket descriptors, which would allow
|
|
|
|
the malicious user to listen to all ICMP packets arriving at the
|
|
|
|
system, and to send forged packets with arbitrary contents.
|
1998-10-17 00:00:00 +00:00
|
|
|
|
2013-02-05 15:56:38 +00:00
|
|
|
The mtr-code does its best to prevent calling of external library
|
|
|
|
code before dropping privileges. It seems that C++ library code has
|
|
|
|
the ability to issue a "please execute me before calling main" to the
|
|
|
|
loader/linker. That would mean that we're still vulnerable to
|
|
|
|
errors in that code. This is why I would prefer to drop the backends,
|
|
|
|
have mtr-core always run in "raw" mode, and have the backends interpret
|
|
|
|
the output from the mtr-core. Maybe a nice project for a college-level
|
2013-08-07 10:41:18 +00:00
|
|
|
student.
|
2013-02-05 15:56:38 +00:00
|
|
|
|
2015-10-01 17:28:10 +00:00
|
|
|
|
1998-10-17 00:00:00 +00:00
|
|
|
If you have further questions or comments about security issues,
|
2015-10-01 17:28:10 +00:00
|
|
|
please see the README file for details on how to submit them.
|