Date: Fri, 2 Aug 2002 13:34:05 -0400
From: NetBSD Security Officer <security-officer@netbsd.org.>
To: [email protected]Subject: NetBSD Security Advisory 2002-010: symlink race in pppd
Bugtraq has a large number of subscribers whose out-of-office replies
are sent even in response to mailing-list messages. Since this is a
major nuisance, the Reply-To address on this email is fake.
Please address replies to:
NetBSD Security Officer <security-officer@netbsd.org.>
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-010
Topic: symlink race in pppd
Version: NetBSD-current: source prior to July 31, 2002
NetBSD-1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
Severity: Local user may be able to modify permissions on any file
Fixed: NetBSD-current: July 31, 2002
NetBSD-1.6 branch: not yet
NetBSD-1.5 branch: not yet
NetBSD-1.4 branch: not yet
Abstract
========
A race condition exists in the pppd program that may be exploited
in order to change the permissions of an arbitrary file.
A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.
Technical Details
=================
The file specified as the tty device is opened by pppd, and the
permissions are recorded. If pppd fails to initialize the tty
device in some way (such as a failure of tcgetattr(3)), then pppd
will attempt to restore the original permissions by calling chmod(2).
The call to chmod(2) is subject to a symlink race, so that the
permissions may be `restored' on some other file.
Solutions and Workarounds
The following instructions describe how to upgrade your pppd
binaries by updating your source tree and rebuilding and
installing a new version of pppd.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-07-30
should be upgraded to NetBSD-current dated 2002-07-31 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
usr.sbin/pppd
To update from CVS, re-build, and re-install pppd:
# cd src
# cvs update -d -P usr.sbin/pppd
# cd usr.sbin/pppd
# make cleandir dependall
# make install
* NetBSD 1.6 beta:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.6 branch.
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.5 branch.
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.4 branch.
Thanks To
=========
Jun-ichiro itojun Hagino for patches, and preparing the advisory text.
Revision History
================
2002-08-01 Initial release
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-010.txt,v 1.7 2002/08/01 17:44:51 wiz Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPUk71D5Ru2/4N2IFAQFCLQQAhDzwXJacgTYJWlRGW56aFZuZE/5pyHh+
ccbWNS2ZwlpGEn7ucjlnEgRIN03VL3V4u3+N1HNXC2pb4gdqArP/6KcHMInydYIQ
X1BnXCL7xPG8hCrRzy9uorKeL+bgowC+uvPOUErW3y1LfPWhNQTNAjyHVIp5PFxS
zGHd/4U+aSI=
=otzW
-----END PGP SIGNATURE-----