FreeBSD Security Advisory FreeBSD-SA-02:32.pppd

From: FreeBSD Security Advisories (security-advisories@freebsd.org)
Date: 07/31/02

• Next message: Jacques A. Vidrine: "Re: Are OpenSSL bugs related to OpenSSH ?"
• Previous message: Mike Tancsa: "Re: apache mod_ssl ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 31 Jul 2002 05:02:19 -0700 (PDT)
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:32.pppd Security Advisory
                                                          The FreeBSD Project

Topic: exploitable race condition in pppd

Category: core
Module: pppd
Announced: 2002-07-31
Credits: Sebastian Krahmer <krahmer@suse.de>
Affects: All releases of FreeBSD up to and including 4.6.1-RELEASE-p1
Corrected: 2002-07-30 03:50:40 UTC (RELENG_4)
                2002-07-30 19:15:52 UTC (RELENG_4_6)
                2002-07-30 19:16:46 UTC (RELENG_4_5)
                2002-07-30 19:17:27 UTC (RELENG_4_4)
FreeBSD only: NO

I. Background

FreeBSD ships with several implementations of the Point-to-Point
Protocol (PPP). The pppd program is one of these implementations. It
provides basic support for negotiating a link, while encapsulation is
done by driver code in the kernel.

II. Problem Description

A race condition exists in the pppd program that may be exploited
in order to change the permissions of an arbitrary file. The file
specified as the tty device is opened by pppd, and the permissions
are recorded. If pppd fails to initialize the tty device in some way
(such as a failure of tcgetattr(3)), then pppd will then attempt to
restore the original permissions by calling chmod(2). The call to
chmod(2) is subject to a symlink race, so that the permissions may
`restored' on some other file.

Note that the pppd program is installed set-user-ID to root, so that
any file's permissions may be changed in this fashion.

III. Impact

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, such as /etc/crontab, and
leverage the situation to acquire escalated privileges.

In FreeBSD 4.4-RELEASE and later, the local user must be in group
`dialer' in order to run pppd and attempt to exploit this race.

IV. Workaround

Remove the set-user-ID bit from pppd by executing the following
command as root:

# chmod u-s /usr/sbin/pppd

V. Solution

Do one of the following:

1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6,
RELENG_4_5, or RELENG_4_4 security branch dated after the correction
date (4.6.1-RELEASE-p2, 4.5-RELEASE-p11, or 4.4-RELEASE-p18).

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.4, 4.5,
and 4.6 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/pppd
# make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path Revision
  Branch
- -------------------------------------------------------------------------
usr.sbin/pppd/main.c
  RELENG_4 1.19.2.1
  RELENG_4_6 1.19.10.1
  RELENG_4_5 1.19.8.1
  RELENG_4_4 1.19.6.1
sys/conf/newvers.sh
  RELENG_4_6 1.44.2.23.2.7
  RELENG_4_5 1.44.2.20.2.12
  RELENG_4_4 1.44.2.17.2.17
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPUfQ4VUuHi5z0oilAQGaYwP/djtLXxRveB2xDy54hACNSArKnfAbEwEP
PisB8Er2Zl4CmwnKx3BO8zWoV+nb7afcWGoy2eU14b/sXTLpInpx+823J8nP3BUK
bsUInanuFxX6LfSTbzjRT+8wxxXKO4oarPFfxfVis09ekjO+FqTtm2pAV13ug/+s
Wrb8IG4YYVA=
=tfMD
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Jacques A. Vidrine: "Re: Are OpenSSL bugs related to OpenSSH ?"
• Previous message: Mike Tancsa: "Re: apache mod_ssl ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: pppd crashes, was: kde-freebsd] Question about KPPP on FreeBSD ... >> with FreeBSD and KPPP. ... You mean the FreeBSD-using KDE developer community, ... Well perhaps there's a pppd hacker who shares your conviction out there ... (freebsd-stable) pppd pty equivilent in FBSD ... I have a question about pppd. ... but not in freebsd because the ... implementation of pppd that comes with freebsd does not recognize the pty ... From the pppd man page on a linux machine. ... (freebsd-net) Re: getting newer version of pppd ... my connection still wont work. ... was tested on freebsd in addition to netbsd. ... >> to looks on ports to find pppd but could not find it. ... > If you're just wanting to get on the Internet, buying a router may be the better ... (comp.unix.bsd.freebsd.misc) FreeBSD Security Advisory FreeBSD-SA-02:32.pppd ... FreeBSD ships with several implementations of the Point-to-Point ... The pppd program is one of these implementations. ... in order to change the permissions of an arbitrary file. ... (Bugtraq) [Full-Disclosure] NetBSD Security Advisory 2002-010: symlink race in pppd ... Local user may be able to modify permissions on any file ... A race condition exists in the pppd program that may be exploited ... A malicious local user may exploit the race condition to acquire write ... The recent NetBSD 1.6 release is not vulnerable to this issue. ... (Full-Disclosure)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint