Bugtraq mailing list archives

Re: sing (debian) vunlerability?

From: Moritz Muehlenhoff <jmm () debian org>
Date: Tue, 4 Dec 2007 22:11:46 +0100

Milen Rangelov wrote:

The sing utility (Send Nasty ICMP Garbage) is a ping replacement that
allows sending ICMP packets with spoofed source and custom ICMP
types/codes (http://sourceforge.net/projects/sing).

The debian package provides sing as a suid binary (actually,
the sid distribution asks the user whether he'd like it installed suid,
I'm not 100% sure, but in etch, it installs it suid, anyway, should
check).


Thanks for bringing this to our attention.

However, above statement is not correct. Both the sing packages in
Debian oldstable (Sarge) and Debian stable (Etch) do not provide a setuid
root binary by default. The override status is handled by debconf and
defaults to no:

|  For 'sing' to work for non-root users, it needs to be suid.                                                          
|                                                                                                                       
  
|  Please keep in mind that making 'sing' suid, allows non-root users to
|  send spoofed ICMP messages from your machine.  
|                                                                                                                       
  
|  If you don't know what that means, refuse to make it suid here, and
|  run 'sing' only as root.                         

Cheers,
        Moritz

Current thread:

sing (debian) vunlerability? Milen Rangelov (Dec 03)
- Re: sing (debian) vunlerability? Moritz Muehlenhoff (Dec 04)