8770609 2002-07-25 00:20 +0400 /22 rader/ Ricardo Branco <97-29312@ldc.usb.ve> Sänt av: joel@lysator.liu.se Importerad: 2002-07-24 23:46 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23227> Ärende: Interface promiscuity obscurity in Linux ------------------------------------------------------------ From: Ricardo Branco <97-29312@ldc.usb.ve> To: <bugtraq@securityfocus.com> Message-ID: <Pine.GSO.4.32.0207250011340.5286-100000@korba.ldc.usb.ve> This affects Linux 2.2 and 2.4 Using libpcap to put the interface in promiscuous mode, will cause that ifconfig(8) doesn't show it! libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with PACKET_MR_PROMISC to set the interface in promiscuous mode. I notified this to the tcpdump-workers mailing list and the problem is that the setsockopt() sets the promisc flag in a variable that is not the same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the kernel source right now to make this advisory more precise. Well, sorry for my not-so-good english Enjoy (8770609) /Ricardo Branco <97-29312@ldc.usb.ve>/(Ombruten) Kommentar i text 8773837 av Paul Starzetz <paul@starzetz.de> Kommentar i text 8773840 av Glynn Clements <glynn.clements@virgin.net> Kommentar i text 8773875 av Frédéric Raynal <frederic.raynal@inria.fr> Kommentar i text 8773904 av Ademar de Souza Reis Jr. <ademar@conectiva.com.br> 8773837 2002-07-25 11:39 +0200 /26 rader/ Paul Starzetz <paul@starzetz.de> Sänt av: joel@lysator.liu.se Importerad: 2002-07-25 19:10 av Brevbäraren Extern mottagare: Ricardo Branco <97-29312@ldc.usb.ve> Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23248> Kommentar till text 8770609 av Ricardo Branco <97-29312@ldc.usb.ve> Ärende: Re: Interface promiscuity obscurity in Linux ------------------------------------------------------------ From: Paul Starzetz <paul@starzetz.de> To: Ricardo Branco <97-29312@ldc.usb.ve>, bugtraq@securityfocus.com Message-ID: <3D3FC73D.4080100@starzetz.de> Ricardo Branco wrote: >This affects Linux 2.2 and 2.4 > >Using libpcap to put the interface in promiscuous mode, will cause that >ifconfig(8) doesn't show it! > > This is an old issue (noticed this nearly 2 years ago...) but can be contributed to 'bad' userspace tools. >libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with >PACKET_MR_PROMISC to set the interface in promiscuous mode. > > The interesting thing is that the PF_PACKET sockets are also not reported by netstat. Anyway this should be fixed. /ih (8773837) /Paul Starzetz <paul@starzetz.de>/-------- 8773840 2002-07-25 04:50 +0100 /28 rader/ Glynn Clements <glynn.clements@virgin.net> Sänt av: joel@lysator.liu.se Importerad: 2002-07-25 19:11 av Brevbäraren Extern mottagare: Ricardo Branco <97-29312@ldc.usb.ve> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23249> Kommentar till text 8770609 av Ricardo Branco <97-29312@ldc.usb.ve> Ärende: Re: Interface promiscuity obscurity in Linux ------------------------------------------------------------ From: Glynn Clements <glynn.clements@virgin.net> To: Ricardo Branco <97-29312@ldc.usb.ve> Cc: <bugtraq@securityfocus.com> Message-ID: <15679.30075.748098.171790@cerise.nosuchdomain.co.uk> Ricardo Branco wrote: > Using libpcap to put the interface in promiscuous mode, will cause that > ifconfig(8) doesn't show it! > > libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with > PACKET_MR_PROMISC to set the interface in promiscuous mode. > > I notified this to the tcpdump-workers mailing list and the problem is > that the setsockopt() sets the promisc flag in a variable that is not the > same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the > kernel source right now to make this advisory more precise. This issue was discussed extensively on the linux-net list back in February, in the thread entitled "IFF_PROMISC bug?": http://marc.theaimsgroup.com/?t=101356558000002&r=1&w=2 -- Glynn Clements <glynn.clements@virgin.net> (8773840) /Glynn Clements <glynn.clements@virgin.net>/ 8773875 2002-07-25 08:09 +0200 /72 rader/ Frédéric Raynal <frederic.raynal@inria.fr> Sänt av: joel@lysator.liu.se Importerad: 2002-07-25 19:17 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23251> Kommentar till text 8770609 av Ricardo Branco <97-29312@ldc.usb.ve> Ärende: Re: Interface promiscuity obscurity in Linux ------------------------------------------------------------ From: Frédéric Raynal <frederic.raynal@inria.fr> To: bugtraq@securityfocus.com Message-ID: <20020725080944.A14261@minimum.inria.fr> Hello, This is a well knwon issue and C. Grenier and I have understood why very recently. In fact, this due to the changing of the handling of promiscuous mode in kernel space. With kernel 2.0, one had to perform the following to set the interface to promiscuous mode: strncpy(ifr.ifr_name, "eth0", IFNAMSIZ); ioctl(sock, SIOCGIFFLAGS, &ifr); ifr.ifr_flags |= IFF_PROMISC; ioctl(sock, SIOCSIFFLAGS, &ifr); The trouble was that the promiscuous mode was handled by a flag. Each time a process sets this mode, the flag is set. But if another process removes this mode, the flag is cleared. Rather bad behavior. Since kernel 2.2, a processus must ask to enter in a membership of process (setsockopt(..., PACKET_ADD_MEMBERSHIP,...)) using the interface in promiscuous mode. A counter is then increased. One a process of the membership does not need the promiscuous mode anymore, it drops the membership (setsockopt(..., PACKET_DROP_MEMBERSHIP, ...)) the counter is decreased, and promiscuous mode is disabled as soon as the counter is 0. struct packet_mreq mr; ... memset(&mr,0,sizeof(mr)); mr.mr_ifindex = ifr.ifr_ifindex; mr.mr_type = PACKET_MR_PROMISC; setsockopt(sock, SOL_PACKET, PACKET_ADD_MEMBERSHIP, (char *)&mr, sizeof(mr)); The call to ioctl(SIOCGIFFLAGS) reports only promiscuous mode sets by ioctl(SIOCSIFFLAGS). -- Frederic RAYNAL, Ph.D. http://minimum.inria.fr/~raynal Chief Editor of M.I.S.C. Multi-Systems & Internet Security Cookbook On Thu, Jul 25, 2002 at 12:20:19AM +0400, Ricardo Branco wrote: > > This affects Linux 2.2 and 2.4 > > Using libpcap to put the interface in promiscuous mode, will cause that > ifconfig(8) doesn't show it! > > libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with > PACKET_MR_PROMISC to set the interface in promiscuous mode. > > I notified this to the tcpdump-workers mailing list and the problem is > that the setsockopt() sets the promisc flag in a variable that is not the > same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the > kernel source right now to make this advisory more precise. > > Well, sorry for my not-so-good english > Enjoy > (8773875) /Frédéric Raynal <frederic.raynal@inria.fr>/(Ombruten) Kommentar i text 8774363 av Casper Dik <Casper.Dik@Sun.COM> 8774363 2002-07-25 20:29 +0200 /28 rader/ Casper Dik <Casper.Dik@Sun.COM> Sänt av: joel@lysator.liu.se Importerad: 2002-07-25 22:00 av Brevbäraren Extern mottagare: Frédéric Raynal <frederic.raynal@inria.fr> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23254> Kommentar till text 8773875 av Frédéric Raynal <frederic.raynal@inria.fr> Ärende: Re: Interface promiscuity obscurity in Linux ------------------------------------------------------------ From: Casper Dik <Casper.Dik@Sun.COM> To: Frédéric Raynal <frederic.raynal@inria.fr> Cc: bugtraq@securityfocus.com Message-ID: <200207251829.UAA27802@romulus.Holland.Sun.COM> >The call to ioctl(SIOCGIFFLAGS) reports only promiscuous mode sets by >ioctl(SIOCSIFFLAGS). This is the same reason why Promiscuous mode is never reported by "ifconfig" in Solaris 2.0 and later. In Solaris, ifconfig primarily (or perhaps only) deals with the "IP (or other network stack) plumbing" on devices; in that context the "promiscuous" flag has no meaning either. A number of Solaris device drivers export the fact whether they're promiscuous using the "kstat" (kernel statistics) interface; unfortunately not all devices support that yet. $ kstat -p :::promisc elxl:0:elxl0:promisc off We need to fix this for most SPARC hardware still. Casper (8774363) /Casper Dik <Casper.Dik@Sun.COM>/(Ombruten) 8773904 2002-07-25 09:40 -0300 /91 rader/ Ademar de Souza Reis Jr. <ademar@conectiva.com.br> Sänt av: joel@lysator.liu.se Importerad: 2002-07-25 19:23 av Brevbäraren Extern mottagare: Ricardo Branco <97-29312@ldc.usb.ve> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23252> Kommentar till text 8770609 av Ricardo Branco <97-29312@ldc.usb.ve> Ärende: Re: Interface promiscuity obscurity in Linux ------------------------------------------------------------ From: "Ademar de Souza Reis Jr." <ademar@conectiva.com.br> To: Ricardo Branco <97-29312@ldc.usb.ve> Cc: bugtraq@securityfocus.com Message-ID: <20020725124050.GA9854@conectiva.com.br> On Thu, Jul 25, 2002 at 12:20:19AM +0400, Ricardo Branco wrote: > > This affects Linux 2.2 and 2.4 > > Using libpcap to put the interface in promiscuous mode, will cause that > ifconfig(8) doesn't show it! > > libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with > PACKET_MR_PROMISC to set the interface in promiscuous mode. > > I notified this to the tcpdump-workers mailing list and the problem is > that the setsockopt() sets the promisc flag in a variable that is not the > same as the one that the SIOCGIFFLAGS ioctl() reads. I don't have the > kernel source right now to make this advisory more precise. I noticed it some time ago and did a little research to discover why this happens. There are some results/discussion in our bugzilla: http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=5201 (I'm sorry some parts of this page are in brazilian portuguese) This subject was already discussed in the linux-kernel mailing list: PACKET_MR_PROMISC doesn't set IFF_PROMISC http://www.uwsg.iu.edu/hypermail/linux/kernel/0101.2/1349.html Misreporting of the PROMISC flag http://www.uwsg.iu.edu/hypermail/linux/kernel/9705.2/0284.html And in the tcpdump-workers list: [tcpdump-workers] concerns about tcpdump http://www.tcpdump.org/lists/workers/2001/01/msg00192.html Re: [tcpdump-workers] concerns about tcpdump http://www.tcpdump.org/lists/workers/2001/01/msg00184.html Transcripting some interesting parts of the message above: ... "This means that only promiscuity requested by SIOCSIFFLAGS will show up in SIOCGIFFLAGS, not promiscuity requested by PACKET_MR_PROMISC." ... " > IFF_PROMISC is not set, It's not supposed to be set. The correct way to put into promiscuous mode the device to which a PF_PACKET socket is to do a SOL_PACKET/PACKET_ADD_MEMBERSHIP "setsockopt()" call with PACKET_MR_PROMISC as the argument (see the "packet(7)" man page), and that's what libpcap is doing. The old way of directly setting IFF_PROMISC had problems - [...] ... And in other message (same thread): " Just to make things clear: the >= 2.2 kernels have a new way of setting promiscous mode via setsockopt(). We use this sicne a few month in pcap. It has the advantage of thread-safeness. The usage of ioctl() is depreciated. ifconfig doesnt show the flag, b/c kernel filters it out. Dont know why. Administrators should note that they dont see sniffers anymore on >= 2.2 kernels! " Although I think fixing ifconfig would be a good thing(TM), it's considered obsolete. Use the the "ip" utility instead. Cheers. - Ademar -- Ademar de Souza Reis Jr. <ademar@conectiva.com.br> Conectiva S/A - http://www.conectiva.com ^[:wq! (8773904) /Ademar de Souza Reis Jr. <ademar@conectiva.com.br>/(Ombruten) 8770843 2002-07-25 01:06 +0200 /76 rader/ Rasmus Bøg Hansen <moffe@amagerkollegiet.dk> Sänt av: joel@lysator.liu.se Importerad: 2002-07-25 01:27 av Brevbäraren Extern mottagare: Ricardo Branco <97-29312@ldc.usb.ve> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23232> Ärende: Re: Interface promiscuity obscurity in Linux ------------------------------------------------------------ From: Rasmus Bøg Hansen <moffe@amagerkollegiet.dk> To: Ricardo Branco <97-29312@ldc.usb.ve> Cc: bugtraq@securityfocus.com Message-ID: <Pine.LNX.4.44.0207250101220.19904-100000@grignard.amagerkollegiet.dk> On Thu, 25 Jul 2002, Ricardo Branco wrote: > This affects Linux 2.2 and 2.4 > > Using libpcap to put the interface in promiscuous mode, will cause that > ifconfig(8) doesn't show it! > > libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with > PACKET_MR_PROMISC to set the interface in promiscuous mode. I can confirm that with 2.4.19-rc3. When using tcpdump (with libpcap), ifconfig does not report, that the interface is in promiscous mode: root@grignard:~# tcpdump -n -i eth0 > /dev/null & [1] 20101 tcpdump: listening on eth0 root@grignard:~# /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:90:27:A6:63:DC inet addr:172.16.0.130 Bcast:172.31.255.255 Mask:255.240.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1848637 errors:0 dropped:0 overruns:0 frame:0 TX packets:2654247 errors:0 dropped:0 overruns:0 carrier:0 collisions:34909 txqueuelen:100 RX bytes:231541983 (220.8 MiB) TX bytes:3666205284 (3.4 GiB) Interrupt:10 Base address:0xb000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:101208 errors:0 dropped:0 overruns:0 frame:0 TX packets:101208 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:32332341 (30.8 MiB) TX bytes:32332341 (30.8 MiB) root@grignard:~# uname -a Linux grignard 2.4.19-rc3 #1 lør jul 20 04:06:23 CEST 2002 i686 unknown root@grignard:~# tcpdump does use libpcap here, and it does set eth0 in promiscous mode: moffe@grignard:~# ldd /usr/sbin/tcpdump libpcap.so.0 => /usr/lib/libpcap.so.0 (0x4001e000) libnsl.so.1 => /lib/libnsl.so.1 (0x40039000) libc.so.6 => /lib/libc.so.6 (0x4004e000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) moffe@grignard:/tmp# dpkg -l libpcap0 tcpdump net-tools Ønsket=Ukendt/Installér/Fjern/Udrens/Tilbagehold | Status=Ikke/Installeret/Opsæt.-files/Upakket/Opsætn.-fejl/Halvt-inst. |/ Fjl?=(ingen)/Tilbageholdt/Geninst.-krævet/X=begge-dele (Status,Fjl: versaler=slemt) ||/ Navn Version Beskrivelse +++-==============-==============-============================================ ii libpcap0 0.6.2-2 System interface for user-level packet captu ii tcpdump 3.6.2-2.0.1 A powerful tool for network monitoring and d ii net-tools 1.60-4 The NET-3 networking toolkit moffe@grignard:~# dmesg [...] device eth0 entered promiscuous mode device eth0 left promiscuous mode /Rasmus -- -- [ Rasmus "Møffe" Bøg Hansen ] --------------------------------------- Don't you hate yourself in the morning? - Sleep till noon! ----------------------------------[ moffe at amagerkollegiet dot dk ] -- (8770843) /Rasmus Bøg Hansen <moffe@amagerkollegiet.dk>/(Ombruten) Kommentar i text 8770859 av <plattner@caltech.edu> 8770859 2002-07-24 18:21 -0500 /43 rader/ <plattner@caltech.edu> Sänt av: joel@lysator.liu.se Importerad: 2002-07-25 01:43 av Brevbäraren Extern mottagare: Rasmus B?g Hansen <moffe@amagerkollegiet.dk> Extern kopiemottagare: Ricardo Branco <97-29312@ldc.usb.ve> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23233> Kommentar till text 8770843 av Rasmus Bøg Hansen <moffe@amagerkollegiet.dk> Ärende: Re: Interface promiscuity obscurity in Linux ------------------------------------------------------------ From: plattner@caltech.edu To: Rasmus B?g Hansen <moffe@amagerkollegiet.dk> Cc: Ricardo Branco <97-29312@ldc.usb.ve>, bugtraq@securityfocus.com Message-ID: <20020724232146.GA23775@aaron.homeip.net> On Thu, Jul 25, 2002 at 01:06:02AM +0200, Rasmus B?g Hansen wrote: > On Thu, 25 Jul 2002, Ricardo Branco wrote: > > > This affects Linux 2.2 and 2.4 > > > > Using libpcap to put the interface in promiscuous mode, will cause that > > ifconfig(8) doesn't show it! > > > > libpcap uses setsockopt(..., SOL_PACKET, PACKET_ADD_MEMBERSHIP, ...) with > > PACKET_MR_PROMISC to set the interface in promiscuous mode. > > I can confirm that with 2.4.19-rc3. When using tcpdump (with libpcap), > ifconfig does not report, that the interface is in promiscous mode: ip (from iproute2), however, DOES report interfaces that are promiscuous: aaron root # tethereal -n -i eth0 > /dev/null & [2] 23793 aaron root # Capturing on eth0 ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:20:78:02:00:00 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::220:78ff:fe02:0/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:371623 errors:0 dropped:0 overruns:0 frame:0 TX packets:396584 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:131646171 (125.5 Mb) TX bytes:128753858 (122.7 Mb) Interrupt:12 Base address:0xd000 aaron root # ip link ls dev eth0 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:20:78:02:00:00 brd ff:ff:ff:ff:ff:ff aaron root # ldd /usr/bin/tethereal | grep pcap libpcap.so.0 => /usr/lib/libpcap.so.0 (0x40143000) aaron root # (8770859) /<plattner@caltech.edu>/--------(Ombruten) Bilaga (application/pgp-signature) i text 8770860 Kommentar i text 8773905 av <quentyn@fotango.com> 8770860 2002-07-24 18:21 -0500 /8 rader/ <plattner@caltech.edu> Importerad: 2002-07-25 01:43 av Brevbäraren Extern mottagare: Rasmus B?g Hansen <moffe@amagerkollegiet.dk> Extern kopiemottagare: Ricardo Branco <97-29312@ldc.usb.ve> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23234> Bilaga (text/plain) till text 8770859 Ärende: Bilaga till: Re: Interface promiscuity obscurity in Linux ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9PzaJ5lBcW90Nc7oRAuQBAKCqbBbfKTjXXfjrdaGbhu/+v+eCQQCgiyJY Fb+uzwPD8UuRTEOZOAF/4tI= =USRz -----END PGP SIGNATURE----- (8770860) /<plattner@caltech.edu>/------------------