OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: NetBSD Security Officer (security-officer_at_netbsd.org)
Date: Mon Sep 16 2002 - 21:12:48 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

                     NetBSD Security Advisory 2002-010
                     =================================

    Topic: symlink race in pppd

    Version: NetBSD-current: source prior to July 31, 2002
                    NetBSD-1.6 beta: affected
                    NetBSD-1.5.3: affected
                    NetBSD-1.5.2: affected
                    NetBSD-1.5.1: affected
                    NetBSD-1.5: affected
                    NetBSD-1.4.*: affected

    Severity: Local user may be able to modify permissions on any file

    Fixed: NetBSD-current: July 31, 2002
                    NetBSD-1.6 branch: August 3, 2002
                                            (NetBSD 1.6 includes the fix)
                    NetBSD-1.5 branch: September 5, 2002
                    NetBSD-1.4 branch: not yet

    Abstract
    ========

    A race condition exists in the pppd program that may be exploited
    in order to change the permissions of an arbitrary file.

    A malicious local user may exploit the race condition to acquire write
    permissions to a critical system file, and leverage the situation to
    acquire escalated privileges.

    Technical Details
    =================

    The file specified as the tty device is opened by pppd, and the
    permissions are recorded. If pppd fails to initialize the tty
    device in some way (such as a failure of tcgetattr(3)), then pppd
    will attempt to restore the original permissions by calling chmod(2).
    The call to chmod(2) is subject to a symlink race, so that the
    permissions may be `restored' on some other file.

    Solutions and Workarounds
    =========================

    The recent NetBSD 1.6 release is not vulnerable to this issue. A full
    upgrade to NetBSD 1.6 is the recommended resolution for all users able
    to do so. Many security-related improvements have been made, and
    indeed this release has been delayed several times in order to include
    fixes for a number of recent issues.

    Otherwise, the following instructions describe how to upgrade your
    pppd binaries by updating your source tree and rebuilding and
    installing a new version of pppd.

    * NetBSD-current:

            Systems running NetBSD-current dated from before 2002-07-30
            should be upgraded to NetBSD-current dated 2002-07-31 or later.

            The following directories need to be updated from the
            netbsd-current CVS branch (aka HEAD):
                    usr.sbin/pppd

            To update from CVS, re-build, and re-install pppd:
                    # cd src
                    # cvs update -d -P usr.sbin/pppd

                    # cd usr.sbin/pppd
                    # make cleandir dependall
                    # make install

    * NetBSD 1.6 beta:

            Systems running NetBSD 1.6 BETAs and Release Candidates should
            be upgraded to the NetBSD 1.6 release.

            If a source-based point upgrade is required, sources from the
            NetBSD 1.6 branch dated 2002-08-04 or later should be used.

            The following directories need to be updated from the
            netbsd-1-6 CVS branch:
                    usr.sbin/pppd

            To update from CVS, re-build, and re-install pppd:
                    # cd src
                    # cvs update -d -P -r netbsd-1-6 usr.sbin/pppd

                    # cd usr.sbin/pppd
                    # make cleandir dependall
                    # make install

    * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

            Systems running NetBSD 1.5 dated from before 2002-09-05 should
            be upgraded to NetBSD 1.5 branch dated 2002-09-05 or later.

            The following directories need to be updated from the
            netbsd-1-5 CVS branch:
                    usr.sbin/pppd

            To update from CVS, re-build, and re-install pppd:
                    # cd src
                    # cvs update -d -P -r netbsd-1-5 usr.sbin/pppd

                    # cd usr.sbin/pppd
                    # make cleandir dependall
                    # make install

    * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

            The advisory will be updated to include instructions to remedy
            this problem for systems running the NetBSD-1.4 branch.

    Thanks To
    =========

    Jun-ichiro itojun Hagino for patches, and preparing the advisory text.

    The NetBSD Release Engineering teams, for great patience and
    assistance in dealing with repeated security issues discovered
    recently.

    Revision History
    ================

            2002-08-01 Initial release
            2002-09-05 1.5 fixed
            2002-09-16 Re-release with updated information

    More Information
    ================

    An up-to-date PGP signed copy of this release will be maintained at
      ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc

    Information about NetBSD and NetBSD security can be found at
    http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

    Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.

    $NetBSD: NetBSD-SA2002-010.txt,v 1.15 2002/09/16 05:17:55 dan Exp $

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3ia
    Charset: noconv

    iQCVAwUBPYVqFT5Ru2/4N2IFAQGWDwQAodZpv2grHbPZPoIdUmlhRVp46pRnZTH7
    jXUvVNLAbqQYTb08ICChzTF2IIjkvOySNLXvBeynNEMTmYeFh+HZwdrofr/+Wgcc
    DBgX3BnCHgeRkJbKTDXjPmMKB+EP86H9o4yYz0pSKNVNRg7GgeJtM1zOLwlmX1NE
    nj8huZwPs7c=
    =7Lza
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html