SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Ppp Vendors:   OpenBSD
(OpenBSD Issues Fix) Re: 'pppd' Race Condition in Chmod() Call May Allow Local Users to Obtain Root Privileges on the System
SecurityTracker Alert ID:  1004905
SecurityTracker URL:  http://securitytracker.com/id/1004905
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 31 2002
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in several vendors' Point-to-Point Protocol (PPP) daemon implementations. A local user may be able to obtain root privileges on the system.

A race condition vulnerability has been reported in 'pppd' that may allow a local user to change the permissions of an arbitrary file. The flaw apparently exists in 'main.c' and is due to an unsafe chmod() call.

A local user can reportedly specify a file as a tty device, causing pppd to open the file and record the original permissions of the file. If pppd subsequently fails to initialize the tty device (due to a failure of tcgetattr(3), for example), then pppd will then attempt to restore the original permissions by calling chmod(2). A local user can reportedly create a symbolic link from the file to another critical file on the system in such a manner that the call to chmod() will cause the original file permissions to be incorrectly applied to the linked file.

A local user could exploit this flaw to cause pppd to change the permissions on a critical root owned file so that the local user can edit the critical file. This could result in the local user gaining root privileges on the system.

The pppd program is reportedly installed with set user id (setuid) root privileges on most systems, so this flaw allows any file's permissions to be changed.

Impact:   A local user may be able to modify files on the system with root level privileges, giving the local user root access on the system.
Solution:   OpenBSD has issued the following patches.

For OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/011_pppd.patch

For OpenBSD 3.0:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/028_pppd.patch

Vendor URL:  www.openbsd.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (OpenBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 31 2002 'pppd' Race Condition in Chmod() Call May Allow Local Users to Obtain Root Privileges on the System



 Source Message Contents

Subject:  OpenBSD pppd patch


OpenBSD 3.1

011: SECURITY FIX: July 29, 2002
A race condition exists in the pppd(8) daemon which may cause it to
alter the file permissions of an arbitrary file.  A source code patch
exists which remedies the problem. 

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/011_pppd.patch



OpenBSD 3.0:

028: SECURITY FIX: July 29, 2002

A race condition exists in the pppd(8) daemon which may cause it to
alter the file permissions of an arbitrary file.  A source code patch
exists which remedies the problem. 

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/028_pppd.patch


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC