From owner-freebsd-security@FreeBSD.ORG  Sat Mar  1 23:54:04 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B81AE106566B
	for <freebsd-security@freebsd.org>;
	Sat,  1 Mar 2008 23:54:04 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 60B858FC22
	for <freebsd-security@freebsd.org>;
	Sat,  1 Mar 2008 23:54:04 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
	h=Received:Resent-From:Resent-Date:Resent-Message-ID:Resent-To:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Resent-Sender:Resent-Date:X-Spam-Status:Subject;
	b=d+m+SQz1VF3U8e9q97CAV0I5ZN9gvvJl4lK6K4J0s+n4jN9AibC2IcffVwuOKuoAVJuG9g0yyn/WUcQZzOr4G7quNcX1AI79SX4KE4xtGV8DwK7clKo3WcVrOGNeebDgQIiiTxGPAcz7yKP4QLMN0SbA+hL/EfqpHr/yTvhFR5w=;
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256)
	id 1JVbWj-0002Fu-R9 for freebsd-security@freebsd.org;
	Sun, 02 Mar 2008 02:54:02 +0300
Resent-From: rea-fbsd@codelabs.ru
Resent-Date: Sun, 2 Mar 2008 02:54:00 +0300
Resent-Message-ID: <hztXv7tL7cogjuoaKVM3hjwoMIM@anT1rBJxFFmtDIxMAcBOkF9Caq8>
Resent-To: freebsd-security@freebsd.org
Date: Sun, 2 Mar 2008 02:06:34 +0300
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: sipherr@gmail.com
Message-ID: <eJwztaR4hgj0LBOZtN1f3kC2qd8@49l6neKHPg6j4SHeejH198Klzys>
References: <20080229163903.3680.qmail@securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <20080229163903.3680.qmail@securityfocus.com>
Resent-Sender: rea-fbsd@codelabs.ru
Resent-Date: Sun, 02 Mar 2008 02:54:01 +0300
X-Spam-Status: No, score=-1.8 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_40
Cc: freebsd-security@freebsd.org, vuln-dev@securityfocus.com
Subject: Re: *BSD user-ppp local root (when conditions permit)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Mar 2008 23:54:04 -0000

Good day.

[Reposting this message to the freebsd-security from my subscribed address.
Sorry for possible duplicates.]

Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherr@gmail.com wrote:
> I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2)
> 
> Steps to reproduce:
> 
> 1. Run ppp
> 
> 2. type the following (or atleat some variation of)
> 
> ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> 
> 
> 
> This will produce a segmentation violation (Core dumped).

Yes, good catch: looks like stack-based buffer overflow.  Also works
on FreeBSD 7.0.  Could you please test the following rough patch --
it seem to cure the situation.  Although it is a bit late for
today and I will recheck it more carefully tomorrow.

diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
@@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to)
     from++;
 
   while (*from != '\0') {
+    if (to >= endto) {
+	*endto = '\0';
+	return from;
+    }
     switch (*from) {
       case '"':
         instring = !instring;
@@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to)
             *to++ = '\\';	/* Pass the escapes on, maybe skipping \# */
             break;
         }
+	if (to >= endto) {
+		*endto = '\0';
+		return from;
+	}
         *to++ = *from++;
         break;
       case '$':
@@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to)
             *ptr++ = *from;
           *ptr = '\0';
         }
+	if (to >= endto) {
+		*endto = '\0';
+		return from;
+	}
         if (*to == '\0')
           *to++ = '$';
         else if ((env = getenv(to)) != NULL) {
@@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to)
         if (len == 0)
           pwd = getpwuid(ID0realuid());
         else {
+	  if (to + len >= endto) {
+		*to = '\0';
+		return from;
+	  }
           strncpy(to, from, len);
           to[len] = '\0';
           pwd = getpwnam(to);

Thank you!
-- 
Eygene