From security-officer@netbsd.org Tue Sep 17 21:45:23 2002 From: NetBSD Security Officer To: full-disclosure@lists.netsys.com Date: Tue, 17 Sep 2002 12:12:48 +1000 Subject: [Full-Disclosure] NetBSD Security Advisory 2002-010: symlink race in pppd -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-010 ================================= Topic: symlink race in pppd Version: NetBSD-current: source prior to July 31, 2002 NetBSD-1.6 beta: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected Severity: Local user may be able to modify permissions on any file Fixed: NetBSD-current: July 31, 2002 NetBSD-1.6 branch: August 3, 2002 (NetBSD 1.6 includes the fix) NetBSD-1.5 branch: September 5, 2002 NetBSD-1.4 branch: not yet Abstract ======== A race condition exists in the pppd program that may be exploited in order to change the permissions of an arbitrary file. A malicious local user may exploit the race condition to acquire write permissions to a critical system file, and leverage the situation to acquire escalated privileges. Technical Details ================= The file specified as the tty device is opened by pppd, and the permissions are recorded. If pppd fails to initialize the tty device in some way (such as a failure of tcgetattr(3)), then pppd will attempt to restore the original permissions by calling chmod(2). The call to chmod(2) is subject to a symlink race, so that the permissions may be `restored' on some other file. Solutions and Workarounds ========================= The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. Otherwise, the following instructions describe how to upgrade your pppd binaries by updating your source tree and rebuilding and installing a new version of pppd. * NetBSD-current: Systems running NetBSD-current dated from before 2002-07-30 should be upgraded to NetBSD-current dated 2002-07-31 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): usr.sbin/pppd To update from CVS, re-build, and re-install pppd: # cd src # cvs update -d -P usr.sbin/pppd # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-04 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: usr.sbin/pppd To update from CVS, re-build, and re-install pppd: # cd src # cvs update -d -P -r netbsd-1-6 usr.sbin/pppd # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5 dated from before 2002-09-05 should be upgraded to NetBSD 1.5 branch dated 2002-09-05 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: usr.sbin/pppd To update from CVS, re-build, and re-install pppd: # cd src # cvs update -d -P -r netbsd-1-5 usr.sbin/pppd # cd usr.sbin/pppd # make cleandir dependall # make install * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: The advisory will be updated to include instructions to remedy this problem for systems running the NetBSD-1.4 branch. Thanks To ========= Jun-ichiro itojun Hagino for patches, and preparing the advisory text. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History ================ 2002-08-01 Initial release 2002-09-05 1.5 fixed 2002-09-16 Re-release with updated information More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-010.txt,v 1.15 2002/09/16 05:17:55 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYVqFT5Ru2/4N2IFAQGWDwQAodZpv2grHbPZPoIdUmlhRVp46pRnZTH7 jXUvVNLAbqQYTb08ICChzTF2IIjkvOySNLXvBeynNEMTmYeFh+HZwdrofr/+Wgcc DBgX3BnCHgeRkJbKTDXjPmMKB+EP86H9o4yYz0pSKNVNRg7GgeJtM1zOLwlmX1NE nj8huZwPs7c= =7Lza -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html