From owner-freebsd-security-notifications Wed Jul 31 5: 2:42 2002 Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B24A37B49C; Wed, 31 Jul 2002 05:02:38 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E056D43E7B; Wed, 31 Jul 2002 05:02:22 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6VC2KJU023568; Wed, 31 Jul 2002 05:02:20 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6VC2KnC023566; Wed, 31 Jul 2002 05:02:20 -0700 (PDT) Date: Wed, 31 Jul 2002 05:02:20 -0700 (PDT) Message-Id: <200207311202.g6VC2KnC023566@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:32.pppd Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:32.pppd Security Advisory The FreeBSD Project Topic: exploitable race condition in pppd Category: core Module: pppd Announced: 2002-07-31 Credits: Sebastian Krahmer Affects: All releases of FreeBSD up to and including 4.6.1-RELEASE-p1 Corrected: 2002-07-30 03:50:40 UTC (RELENG_4) 2002-07-30 19:15:52 UTC (RELENG_4_6) 2002-07-30 19:16:46 UTC (RELENG_4_5) 2002-07-30 19:17:27 UTC (RELENG_4_4) FreeBSD only: NO I. Background FreeBSD ships with several implementations of the Point-to-Point Protocol (PPP). The pppd program is one of these implementations. It provides basic support for negotiating a link, while encapsulation is done by driver code in the kernel. II. Problem Description A race condition exists in the pppd program that may be exploited in order to change the permissions of an arbitrary file. The file specified as the tty device is opened by pppd, and the permissions are recorded. If pppd fails to initialize the tty device in some way (such as a failure of tcgetattr(3)), then pppd will then attempt to restore the original permissions by calling chmod(2). The call to chmod(2) is subject to a symlink race, so that the permissions may `restored' on some other file. Note that the pppd program is installed set-user-ID to root, so that any file's permissions may be changed in this fashion. III. Impact A malicious local user may exploit the race condition to acquire write permissions to a critical system file, such as /etc/crontab, and leverage the situation to acquire escalated privileges. In FreeBSD 4.4-RELEASE and later, the local user must be in group `dialer' in order to run pppd and attempt to exploit this race. IV. Workaround Remove the set-user-ID bit from pppd by executing the following command as root: # chmod u-s /usr/sbin/pppd V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the correction date (4.6.1-RELEASE-p2, 4.5-RELEASE-p11, or 4.4-RELEASE-p18). 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/pppd # make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- usr.sbin/pppd/main.c RELENG_4 1.19.2.1 RELENG_4_6 1.19.10.1 RELENG_4_5 1.19.8.1 RELENG_4_4 1.19.6.1 sys/conf/newvers.sh RELENG_4_6 1.44.2.23.2.7 RELENG_4_5 1.44.2.20.2.12 RELENG_4_4 1.44.2.17.2.17 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPUfQ4VUuHi5z0oilAQGaYwP/djtLXxRveB2xDy54hACNSArKnfAbEwEP PisB8Er2Zl4CmwnKx3BO8zWoV+nb7afcWGoy2eU14b/sXTLpInpx+823J8nP3BUK bsUInanuFxX6LfSTbzjRT+8wxxXKO4oarPFfxfVis09ekjO+FqTtm2pAV13ug/+s Wrb8IG4YYVA= =tfMD -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message