Date: 3 Dec 2003 13:43:30 -0000
From: bert_raccoon@freemail.ru
To: bugtraq@securityfocus.com
Subject: FreeBSD arp poison patch
There is well known problem arp poisoning problem in FreeBSD. If
arp reply is received without request FreeBSD logs error
into syslog, but changes arp table entry. It makes possibility
for local atacker to change arp cache entry. In network this
behaviour can only occure when adapter changes it's MAC address.
Attached is patch to check old MAC address before changing
arp entry by sending unicast arp request to this MAC. If old MAC
replies, no changes to arp table is made and attack is logged.
Same patch for linux was published by Buggzy. Patch was tested for
FreeBSD 4.6 - 5.0.
To apply patch do:
download http://freecap.ru/if_ether.c.patch
# cd /sys/netinet
# patch < /path/to/patch
and rebuild the kernel.
