139477 2006-07-06 13:30 0000 net-dialup/ppp setuid() issue (CVE-2006-2194) 2006-07-07 01:07:41 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.ubuntu.com/usn/usn-310-1 C1 [noglsa] Falco P2 major --- 1 jaervosz@gentoo.org security@gentoo.org net-dialup@gentoo.org jaervosz@gentoo.org 2006-07-06 13:30:52 0000 Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation. falco@gentoo.org 2006-07-06 15:06:23 0000 --> C because it does not affect the default conf (pam limits + winbind plugin) --> *1 because there is a possible privilege escalation i don't understand how CVE can reference ppp 2.4.4 as vulnerable, since from the officiel web site : "ppp 2.4.3 The latest version of ppp is version 2.4.3, released on 14 November 2004." http://samba.org/ppp/ --> setting to [upstream] status. Waiting. falco@gentoo.org 2006-07-06 15:23:34 0000 C1 -> major, the policy says. mrness@gentoo.org 2006-07-06 23:31:16 0000 I understand that patch available at http://lists.opensuse.org/archive/opensuse-commit/2006-Jun/0117.html fixes this problem. Btw, I find it strange that upstream wasn't informed about it. Can someone enlighten me how could setuid(getuid()) be exploited? If the effective user is root, it will always succeed, isn't so? frilled@gentoo.org 2006-07-06 23:34:34 0000 No, we had a couple of those lately. It's not guaranteed that you can drop privs. If user's process limit is exceeded, for example, dropping fails. If you don't check the return code, your code will run as root as opposed to the unprivileged user you wanted to change to. frilled@gentoo.org 2006-07-06 23:37:47 0000 BTW, good reading IMHO: http://www.csl.sri.com/users/ddean/papers/usenix02.pdf mrness@gentoo.org 2006-07-07 00:11:48 0000 Created an attachment (id=91097) winbind-drop-privs.patch Would this patch be OK from the security pov? frilled@gentoo.org 2006-07-07 00:32:57 0000 Looks ok to me. Any different POVs? falco@gentoo.org 2006-07-07 00:49:14 0000 > > Would this patch be OK from the security pov? > it's OK for me mrness@gentoo.org 2006-07-07 01:01:27 0000 Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is uploaded on our mirrors from dev.g.o:/space/distfiles-local). The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have winbind plugin. falco@gentoo.org 2006-07-07 01:07:41 0000 > Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is > uploaded on our mirrors from dev.g.o:/space/distfiles-local). good, thanks > The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have > winbind plugin. there will be no glsa then; closing. Thank you for the fastness, Alin. As usual, feel free to reopen if needed. 91097 2006-07-07 00:11 0000 winbind-drop-privs.patch winbind-drop-privs.patch text/plain ZGlmZiAtTnJ1IHBwcC0yLjQuMy5vcmlnL3BwcGQvcGx1Z2lucy93aW5iaW5kLmMgcHBwLTIuNC4z L3BwcGQvcGx1Z2lucy93aW5iaW5kLmMKLS0tIHBwcC0yLjQuMy5vcmlnL3BwcGQvcGx1Z2lucy93 aW5iaW5kLmMJMjAwNi0wNS0wOSAxNDozOTo0OS4wMDAwMDAwMDAgKzAzMDAKKysrIHBwcC0yLjQu My9wcHBkL3BsdWdpbnMvd2luYmluZC5jCTIwMDYtMDctMDcgMTA6MDk6MTAuMDAwMDAwMDAwICsw MzAwCkBAIC0zMDAsOCArMzAwLDEwIEBACiAJCWNsb3NlKGNoaWxkX2luWzFdKTsKIAogCQkvKiBy dW4gd2luYmluZCBhcyB0aGUgdXNlciB0aGF0IGludm9rZWQgcHBwZCAqLwotCQlzZXRnaWQoZ2V0 Z2lkKCkpOwotCQlzZXR1aWQoZ2V0dWlkKCkpOworCQlpZiAoc2V0Z2lkKGdldGdpZCgpKSA8IDAg fHwgc2V0dWlkKGdldHVpZCgpKSA8IDApIHsKKwkJCXBlcnJvcigicHBwZC93aW5iaW5kOiBmYWls ZWQgdG8gZHJvcCBwcml2aWxlZ2VzIik7CisJCQlleGl0KDEpOworCQl9CiAJCWV4ZWNsKCIvYmlu L3NoIiwgInNoIiwgIi1jIiwgbnRsbV9hdXRoLCBOVUxMKTsgIAogCQlwZXJyb3IoInBwcGQvd2lu YmluZDogY291bGQgbm90IGV4ZWMgL2Jpbi9zaCIpOwogCQlleGl0KDEpOwo=