Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » FreeBSD-SA-02:32.pppd

FreeBSD-SA-02:32.pppd

by Nikola Strahija on July 31st, 2002 FreeBSD ships with several implementations of the Point-to-Point Protocol (PPP). The pppd program is one of these implementations. It provides basic support for negotiating a link, while encapsulation is done by driver code in the kernel.


II. Problem Description

A race condition exists in the pppd program that may be exploited
in order to change the permissions of an arbitrary file. The file
specified as the tty device is opened by pppd, and the permissions
are recorded. If pppd fails to initialize the tty device in some way
(such as a failure of tcgetattr(3)), then pppd will then attempt to
restore the original permissions by calling chmod(2). The call to
chmod(2) is subject to a symlink race, so that the permissions may
`restored' on some other file.

Note that the pppd program is installed set-user-ID to root, so that
any file's permissions may be changed in this fashion.

III. Impact

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, such as /etc/crontab, and
leverage the situation to acquire escalated privileges.

In FreeBSD 4.4-RELEASE and later, the local user must be in group
`dialer' in order to run pppd and attempt to exploit this race.

IV. Workaround

Remove the set-user-ID bit from pppd by executing the following
command as root:

# chmod u-s /usr/sbin/pppd

V. Solution

Do one of the following:

1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6,
RELENG_4_5, or RELENG_4_4 security branch dated after the correction
date (4.6.1-RELEASE-p2, 4.5-RELEASE-p11, or 4.4-RELEASE-p18).

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.4, 4.5,
and 4.6 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »