SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Ppp Vendors:   [Multiple Authors/Vendors]
'pppd' Race Condition in Chmod() Call May Allow Local Users to Obtain Root Privileges on the System
SecurityTracker Alert ID:  1004903
SecurityTracker URL:  http://securitytracker.com/id/1004903
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 31 2002
Impact:   Modification of system information, Root access via local system


Description:   A vulnerability was reported in several vendors' Point-to-Point Protocol (PPP) daemon implementations. A local user may be able to obtain root privileges on the system.

A race condition vulnerability has been reported in 'pppd' that may allow a local user to change the permissions of an arbitrary file. The flaw apparently exists in 'main.c' and is due to an unsafe chmod() call.

A local user can reportedly specify a file as a tty device, causing pppd to open the file and record the original permissions of the file. If pppd subsequently fails to initialize the tty device (due to a failure of tcgetattr(3), for example), then pppd will then attempt to restore the original permissions by calling chmod(2). A local user can reportedly create a symbolic link from the file to another critical file on the system in such a manner that the call to chmod() will cause the original file permissions to be incorrectly applied to the linked file.

A local user could exploit this flaw to cause pppd to change the permissions on a critical root owned file so that the local user can edit the critical file. This could result in the local user gaining root privileges on the system.

The pppd program is reportedly installed with set user id (setuid) root privileges on most systems, so this flaw allows any file's permissions to be changed.
Impact:   A local user may be able to modify files on the system with root level privileges, giving the local user root access on the system.
Solution:   No solution was available at the time of this entry.

As a workaround, the report indicates that (at least for FreeBSD) you can remove the set user id (setuid) bit from the pppd binary.
Cause:   Access control error, State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(FreeBSD Issues Fix) 'pppd' Race Condition in Chmod() Call May Allow Local Users to Obtain Root Privileges on the System   (FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>)
FreeBSD has released a fix.
(OpenBSD Issues Fix) Re: 'pppd' Race Condition in Chmod() Call May Allow Local Users to Obtain Root Privileges on the System
OpenBSD has issued a patch.
(NetBSD Issues Fix) 'pppd' Race Condition in Chmod() Call May Allow Local Users to Obtain Root Privileges on the System   (NetBSD Security Officer <security-officer@netbsd.org>)
NetBSD has released a fix.


 Source Message Contents
Date:  Wed, 31 Jul 2002 05:02:20 -0700 (PDT)
Subject:  FreeBSD Security Advisory FreeBSD-SA-02:32.pppd


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:32.pppd                                       Security Advisory
                                                          The FreeBSD Project

Topic:          exploitable race condition in pppd

Category:       core
Module:         pppd
Announced:      2002-07-31
Credits:        Sebastian Krahmer <krahmer@suse.de>
Affects:        All releases of FreeBSD up to and including 4.6.1-RELEASE-p1
Corrected:      2002-07-30 03:50:40 UTC (RELENG_4)
                2002-07-30 19:15:52 UTC (RELENG_4_6)
                2002-07-30 19:16:46 UTC (RELENG_4_5)
                2002-07-30 19:17:27 UTC (RELENG_4_4)
FreeBSD only:   NO

I.   Background

FreeBSD ships with several implementations of the Point-to-Point
Protocol (PPP).  The pppd program is one of these implementations.  It
provides basic support for negotiating a link, while encapsulation is
done by driver code in the kernel.

II.  Problem Description

A race condition exists in the pppd program that may be exploited
in order to change the permissions of an arbitrary file.  The file
specified as the tty device is opened by pppd, and the permissions
are recorded.  If pppd fails to initialize the tty device in some way
(such as a failure of tcgetattr(3)), then pppd will then attempt to
restore the original permissions by calling chmod(2).  The call to
chmod(2) is subject to a symlink race, so that the permissions may
`restored' on some other file.

Note that the pppd program is installed set-user-ID to root, so that
any file's permissions may be changed in this fashion.

III. Impact

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, such as /etc/crontab, and
leverage the situation to acquire escalated privileges.

In FreeBSD 4.4-RELEASE and later, the local user must be in group
`dialer' in order to run pppd and attempt to exploit this race.

IV.  Workaround

Remove the set-user-ID bit from pppd by executing the following
command as root:

# chmod u-s /usr/sbin/pppd

V.   Solution

Do one of the following:

1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6,
RELENG_4_5, or RELENG_4_4 security branch dated after the correction
date (4.6.1-RELEASE-p2, 4.5-RELEASE-p11, or 4.4-RELEASE-p18).

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.4, 4.5,
and 4.6 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/pppd
# make depend && make && make install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
- -------------------------------------------------------------------------
usr.sbin/pppd/main.c
  RELENG_4                                                       1.19.2.1
  RELENG_4_6                                                    1.19.10.1
  RELENG_4_5                                                     1.19.8.1
  RELENG_4_4                                                     1.19.6.1
sys/conf/newvers.sh
  RELENG_4_6                                                1.44.2.23.2.7
  RELENG_4_5                                               1.44.2.20.2.12
  RELENG_4_4                                               1.44.2.17.2.17
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPUfQ4VUuHi5z0oilAQGaYwP/djtLXxRveB2xDy54hACNSArKnfAbEwEP
PisB8Er2Zl4CmwnKx3BO8zWoV+nb7afcWGoy2eU14b/sXTLpInpx+823J8nP3BUK
bsUInanuFxX6LfSTbzjRT+8wxxXKO4oarPFfxfVis09ekjO+FqTtm2pAV13ug/+s
Wrb8IG4YYVA=
=tfMD
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC