Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation.
--> C because it does not affect the default conf (pam limits + winbind plugin) --> *1 because there is a possible privilege escalation i don't understand how CVE can reference ppp 2.4.4 as vulnerable, since from the officiel web site : "ppp 2.4.3 The latest version of ppp is version 2.4.3, released on 14 November 2004." http://samba.org/ppp/ --> setting to [upstream] status. Waiting.
C1 -> major, the policy says.
I understand that patch available at http://lists.opensuse.org/archive/opensuse-commit/2006-Jun/0117.html fixes this problem. Btw, I find it strange that upstream wasn't informed about it. Can someone enlighten me how could setuid(getuid()) be exploited? If the effective user is root, it will always succeed, isn't so?
No, we had a couple of those lately. It's not guaranteed that you can drop privs. If user's process limit is exceeded, for example, dropping fails. If you don't check the return code, your code will run as root as opposed to the unprivileged user you wanted to change to.
BTW, good reading IMHO: http://www.csl.sri.com/users/ddean/papers/usenix02.pdf
Created attachment 91097 [details, diff] winbind-drop-privs.patch Would this patch be OK from the security pov?
Looks ok to me. Any different POVs?
> > Would this patch be OK from the security pov? > it's OK for me
Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is uploaded on our mirrors from dev.g.o:/space/distfiles-local). The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have winbind plugin.
> Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is > uploaded on our mirrors from dev.g.o:/space/distfiles-local). good, thanks > The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have > winbind plugin. there will be no glsa then; closing. Thank you for the fastness, Alin. As usual, feel free to reopen if needed.