From owner-freebsd-security@FreeBSD.ORG  Sun Mar  2 05:59:57 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C7FEF106566B
	for <freebsd-security@freebsd.org>;
	Sun,  2 Mar 2008 05:59:57 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 798978FC12
	for <freebsd-security@freebsd.org>;
	Sun,  2 Mar 2008 05:59:57 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
	h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject;
	b=ByoYX4Yfpz0q3eJI+/3U7JBOzlR68mUaKZigOSP24rbq2k0+/V5Vkr9aKtSDvKnpq/M2K95e1rIt3quuD2Sic7bQPrPM4q3bv0pHA6i7iSrcWhSl4jvj7cTRpJLmgAdNk4RJc9LTURlL6MU3XV8GWG4VGX70d9USbJbjy2lpW8c=;
Received: from amnesiac.at.no.dns (ppp83-237-104-209.pppoe.mtu-net.ru
	[83.237.104.209])
	by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256)
	id 1JVhEo-0004X8-GE; Sun, 02 Mar 2008 08:59:54 +0300
Date: Sun, 2 Mar 2008 08:59:53 +0300
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Dan Lukes <dan@obluda.cz>
Message-ID: <KLpb4j3+LD85o3V0gHGybAUP+wo@nE9n69L2PrcQKa+e6OgU6kZtlVg>
References: <20080229163903.3680.qmail@securityfocus.com>
	<eJwztaR4hgj0LBOZtN1f3kC2qd8@49l6neKHPg6j4SHeejH198Klzys>
	<47C9F951.3090408@obluda.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <47C9F951.3090408@obluda.cz>
Sender: rea-fbsd@codelabs.ru
X-Spam-Status: No, score=-2.2 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_50
Cc: freebsd-security@freebsd.org, sipherr@gmail.com
Subject: Re: *BSD user-ppp local root (when conditions permit)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Mar 2008 05:59:57 -0000

Dan, good day.

Sun, Mar 02, 2008 at 01:48:17AM +0100, Dan Lukes wrote:
> Eygene Ryabinkin napsal/wrote, On 03/02/08 00:06:
>>> 1. Run ppp
>>> 2. type the following (or atleat some variation of)
> ...
> 
>> Yes, good catch: looks like stack-based buffer overflow
> 
>> Could you please test the following rough patch
> 
> It seems you are going to cut of part of line silently.
> 
> IMHO - the line shall be rejected as invalid at all or warning needs to be 
> issued at least ...

Yes, I will add the neccessary statements.  But first I want to
verify that the exploitation path is not available anymore.

> Someone may create so long line (unintentionally), it will not work for him 
> with no hint why - it's not so polite ...

May be the buffer should even be dynamically resized -- will look
into it.

Thanks!
-- 
Eygene