(OpenBSD Issues Fix) Re: 'pppd' Race Condition in Chmod() Call May Allow Local Users to Obtain Root Privileges on the System - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Ppp

Vendors: OpenBSD

(OpenBSD Issues Fix) Re: 'pppd' Race Condition in Chmod() Call May Allow Local Users to Obtain Root Privileges on the System

SecurityTracker Alert ID: 1004905

SecurityTracker URL: http://securitytracker.com/id/1004905

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jul 31 2002

Impact: Modification of system information, Root access via local system

Fix Available: Yes Vendor Confirmed: Yes

Description: A vulnerability was reported in several vendors' Point-to-Point Protocol (PPP) daemon implementations. A local user may be able to obtain root privileges on the system.

A race condition vulnerability has been reported in 'pppd' that may allow a local user to change the permissions of an arbitrary file. The flaw apparently exists in 'main.c' and is due to an unsafe chmod() call.

A local user can reportedly specify a file as a tty device, causing pppd to open the file and record the original permissions of the file. If pppd subsequently fails to initialize the tty device (due to a failure of tcgetattr(3), for example), then pppd will then attempt to restore the original permissions by calling chmod(2). A local user can reportedly create a symbolic link from the file to another critical file on the system in such a manner that the call to chmod() will cause the original file permissions to be incorrectly applied to the linked file.

A local user could exploit this flaw to cause pppd to change the permissions on a critical root owned file so that the local user can edit the critical file. This could result in the local user gaining root privileges on the system.

The pppd program is reportedly installed with set user id (setuid) root privileges on most systems, so this flaw allows any file's permissions to be changed.

Impact: A local user may be able to modify files on the system with root level privileges, giving the local user root access on the system.

Solution: OpenBSD has issued the following patches.

For OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/011_pppd.patch

For OpenBSD 3.0:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/028_pppd.patch

Vendor URL: www.openbsd.org/ (Links to External Site)

Cause: Access control error, State error

Underlying OS: UNIX (OpenBSD)

Message History: This archive entry is a follow-up to the message listed below.

'pppd' Race Condition in Chmod() Call May Allow Local Users to Obtain Root Privileges on the System

Source Message Contents

Date: Tue, 30 Jul 2002 11:09:39 -0400
Subject: OpenBSD pppd patch


OpenBSD 3.1

011: SECURITY FIX: July 29, 2002
A race condition exists in the pppd(8) daemon which may cause it to
alter the file permissions of an arbitrary file.  A source code patch
exists which remedies the problem. 

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/011_pppd.patch



OpenBSD 3.0:

028: SECURITY FIX: July 29, 2002

A race condition exists in the pppd(8) daemon which may cause it to
alter the file permissions of an arbitrary file.  A source code patch
exists which remedies the problem. 

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/028_pppd.patch

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC