Multiple BSD pppd Race Condition Arbitrary File Permission Modification

2002-07-29T00:00:00
ID OSVDB:20753
Type osvdb
Reporter Jun-ichiro itojun Hagino(itojun@openbsd.org), Sebastian Krahmer(krahmer@suse.de)
Modified 2002-07-29T00:00:00

Description

Vulnerability Description

Multiple BSD OSs contain a flaw that may allow a malicious local user to manipulate arbitrary files on the system. The issue is due to pppd changing the permissions of arbitrary files via a symlink attack on a file that is specified as a tty device, resulting in a loss of integrity.

Solution Description

Upgrade to FreeBSD version 4.6-STABLE; or to the RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the correction date (4.6.1-RELEASE-p2, 4.5-RELEASE-p11, or 4.4-RELEASE-p18) or higher, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions.

Upgrade to OpenBSD version 3.1 dated after the correction date or higher, as it has been reported to fix this vulnerability. In addition, OpenBSD has released a patch for some older versions.

Upgrade to NetBSD version 1.6 dated after the correction date or higher, as it has been reported to fix this vulnerability.

It is also possible to correct the flaw by implementing the following workaround: remove the setuid bit from pppd. However, this will likely affect required functionality.

Short Description

Multiple BSD OSs contain a flaw that may allow a malicious local user to manipulate arbitrary files on the system. The issue is due to pppd changing the permissions of arbitrary files via a symlink attack on a file that is specified as a tty device, resulting in a loss of integrity.

References:

Vendor URL: http://www.freebsd.org Vendor URL: http://www.netbsd.org Vendor URL: http://www.openbsd.org Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch Vendor Specific Solution URL: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/028_pppd.patch Vendor Specific Solution URL: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/011_pppd.patch Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:32/pppd.patch.asc Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1004903 Mail List Post: http://archives.neohapsis.com/archives/freebsd/2002-07/0530.html ISS X-Force ID: 9738 Generic Exploit URL: http://downloads.securityfocus.com/vulnerabilities/exploits/pppdx.pl CVE-2002-0824 Bugtraq ID: 5355