ping6 is a setuid root priv-drop which holds a sockraw. we can tame it - wireguard-openbsd - WireGuard implementation for the OpenBSD kernel

diff options

author	deraadt <deraadt@openbsd.org>	2015-10-03 00:53:13 +0000
committer	deraadt <deraadt@openbsd.org>	2015-10-03 00:53:13 +0000
commit	6329e3323d2226cdb5dbc0edd7f877ee33ce82df (patch)
tree	90d67d7535ea94daf518ea2a5e1e89645f8b2394 /usr.bin/patch/patch.c
parent	tcpdump is two-process privsep. (diff)
download	wireguard-openbsd-6329e3323d2226cdb5dbc0edd7f877ee33ce82df.tar.xz wireguard-openbsd-6329e3323d2226cdb5dbc0edd7f877ee33ce82df.zip

ping6 is a setuid root priv-drop which holds a sockraw. we can tame it

substantially with "stdio inet", plus "dns" if the -n option is missing. a successful exploit against it then cannot create files, or perform a variety of other operations, as described in the tame(2) man page. ping6 is a bit trickier than ping, because it uses recvmsg() with CMSG types of IPV6_HOPOPTS, IPV6_DSTOPTS, IPV6_RTHDRDSTOPTS, IPV6_RTHDR. there is further work to do in the kernel, with claudio! work with florian a while back, which involved hoisting lots of initization code upwards. ok doug

Diffstat (limited to 'usr.bin/patch/patch.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: