From owner-freebsd-security@FreeBSD.ORG Sun Mar 2 06:11:47 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFA631065670 for ; Sun, 2 Mar 2008 06:11:47 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id A1B8C8FC12 for ; Sun, 2 Mar 2008 06:11:47 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=DSMsT5tHoCsk0tsGjxmZURPPqokzltJ5lfFjncf82pZ/2v/32dei3tvmXYodcFf4PhxnbilKgOhccnxyR9Tl/6ky/0fSynmK+XvjGm45rl+P+0HnhVEEC6M7b657WMoiHKYKBzbbF9lmFvJyYBPVXFLZnKOkd9R78VX0eIaLhgs=; Received: from amnesiac.at.no.dns (ppp83-237-104-209.pppoe.mtu-net.ru [83.237.104.209]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1JVhQH-0004bU-Rl; Sun, 02 Mar 2008 09:11:46 +0300 Date: Sun, 2 Mar 2008 09:11:44 +0300 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: References: <20080229163903.3680.qmail@securityfocus.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.1 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_40 Cc: sipherr@gmail.com Subject: Re: *BSD user-ppp local root (when conditions permit) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Mar 2008 06:11:48 -0000 Me again. Sun, Mar 02, 2008 at 02:06:34AM +0300, Eygene Ryabinkin wrote: > Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherr@gmail.com wrote: > > I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2) > > > > Steps to reproduce: > > > > 1. Run ppp > > > > 2. type the following (or atleat some variation of) > > > > ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > > > > > > > This will produce a segmentation violation (Core dumped). > > Yes, good catch: looks like stack-based buffer overflow. Also works > on FreeBSD 7.0. Could you please test the following rough patch -- > it seem to cure the situation. Although it is a bit late for > today and I will recheck it more carefully tomorrow. About the possible exploitation scenarios: I see two of them in the default FreeBSD installation, when ppp is setuid root and permitted to run only for root and the 'network' group. a) Trusted users from the group 'network': interactive privilege escalation and local root exploit. b) Trusted users who can modify ppp's configuration files: non-interactive escalation and local root exploit (remote root exploit in the setups where some Web interface to the PPP configuration and like exists). Had I missed something? -- Eygene