Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» NetBSD » NetBSD 2002-010-symlink race in pppd

NetBSD 2002-010-symlink race in pppd

Version: NetBSD-current: source prior to July 31, 2002 NetBSD-1.6 beta: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected Severity: Local user may be able to modify permissions on any file Fixed: NetBSD-current: July 31, 2002 NetBSD-1.6 branch: not yet NetBSD-1.5 branch: not yet NetBSD-1.4 branch: not yet

  • Vendor: NetBSD
  • Vendor ID: 2002-010
  • Date: August 03, 2002


Abstract
========

A race condition exists in the pppd program that may be exploited
in order to change the permissions of an arbitrary file.

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.


Technical Details
=================

The file specified as the tty device is opened by pppd, and the
permissions are recorded. If pppd fails to initialize the tty
device in some way (such as a failure of tcgetattr(3)), then pppd
will attempt to restore the original permissions by calling chmod(2).
The call to chmod(2) is subject to a symlink race, so that the
permissions may be `restored' on some other file.


Solutions and Workarounds
=========================

The following instructions describe how to upgrade your pppd
binaries by updating your source tree and rebuilding and
installing a new version of pppd.

* NetBSD-current:

Systems running NetBSD-current dated from before 2002-07-30
should be upgraded to NetBSD-current dated 2002-07-31 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
usr.sbin/pppd

To update from CVS, re-build, and re-install pppd:
# cd src
# cvs update -d -P usr.sbin/pppd

# cd usr.sbin/pppd
# make cleandir dependall
# make install


* NetBSD 1.6 beta:

The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.6 branch.


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.5 branch.


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.4 branch.



Thanks To
=========

Jun-ichiro itojun Hagino for patches, and preparing the advisory text.


Revision History
================

2002-08-01 Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »