[5644] in bugtraq
Re: pppd security hole Re: i386/344 (fwd)
daemon@ATHENA.MIT.EDU (Will Waites)
Tue Nov 18 14:04:36 1997
Date: Mon, 17 Nov 1997 16:37:59 -0500
Reply-To: Will Waites <ww@STYX.ORG>
From: Will Waites <ww@STYX.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.3.96.971115003222.1536B-100000@thetics.europa.com>
>>>>> "David" == David Neil <theoe@EUROPA.COM> writes:
David> Also, pppd is public domain, and lives around many other
David> systems such as slowaris, lamex, *bsd. I don't know how
David> pppd got its SUID bit, but it doesn't need it.
Indeed it does - pppd needs to (1) create a network interface and (2)
possibly modify the kernel's routing table. To do both of these,
superuser priveleges are required. However it is true that pppd
handles its priveleges sloppily - i.e. it should not be running with
uid 0 when it is accessing the ttys, only when it needs to do some
privileged system calls.
I haven't looked at the source for pppd, but since it reads a *lot* of
different parameters from its config file(s), it seems likely that
there might be some buffer overflow problems. Has anyone looked into
this?
Cheers,
Will
--
////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Will Waites || NIC Handle: WW1310
ww@styx.org ||
-----------------------------------||-----------------------------------
key ID = 2048/1CA68339 || Public key at pgp.ai.mit.edu
fingerprint = DA BE BD 7E 65 CD A3 3F E2 5D 66 0A 8D 9E 41 FD
------------------------------------------------------------------------
"If that makes any sense to you, you have a big problem"
-- C. Durance
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\////////////////////////////////////
