Bug 139477 - net-dialup/ppp setuid() issue (CVE-2006-2194)
Bug#: 139477 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://www.ubuntu.com/usn/usn-310-1
Summary: net-dialup/ppp setuid() issue (CVE-2006-2194)
Keywords:  
Status Whiteboard: C1 [noglsa] Falco
Opened: 2006-07-06 13:30 0000
Description:   Opened: 2006-07-06 13:30 0000 
Marcus Meissner discovered that the winbind plugin of pppd does not
check the result of the setuid() call. On systems that configure PAM
limits for the maximum number of user processes and enable the winbind
plugin, a local attacker could exploit this to execute the winbind
NTLM authentication helper as root. Depending on the local winbind
configuration, this could potentially lead to privilege escalation.

------- Comment #1 From Raphael Marichez 2006-07-06 15:06:23 0000 ------- 
--> C because it does not affect the default conf (pam limits + winbind plugin)

--> *1 because there is a possible privilege escalation

i don't understand how CVE can reference ppp 2.4.4 as vulnerable, since from
the officiel web site :

"ppp 2.4.3
The latest version of ppp is version 2.4.3, released on 14 November 2004."
http://samba.org/ppp/

--> setting to [upstream] status. Waiting.

------- Comment #2 From Raphael Marichez 2006-07-06 15:23:34 0000 ------- 
C1 -> major, the policy says.

------- Comment #3 From Alin Năstac 2006-07-06 23:31:16 0000 ------- 
I understand that patch available at
http://lists.opensuse.org/archive/opensuse-commit/2006-Jun/0117.html fixes this
problem. Btw, I find it strange that upstream wasn't informed about it.

Can someone enlighten me how could setuid(getuid()) be exploited? If the
effective user is root, it will always succeed, isn't so?

------- Comment #4 From Wolf Giesen (RETIRED) 2006-07-06 23:34:34 0000 ------- 
No, we had a couple of those lately. It's not guaranteed that you can drop
privs. If user's process limit is exceeded, for example, dropping fails. If you
don't check the return code, your code will run as root as opposed to the
unprivileged user you wanted to change to.

------- Comment #5 From Wolf Giesen (RETIRED) 2006-07-06 23:37:47 0000 ------- 
BTW, good reading IMHO: http://www.csl.sri.com/users/ddean/papers/usenix02.pdf

------- Comment #6 From Alin Năstac 2006-07-07 00:11:48 0000 ------- 
Created an attachment (id=91097) [details]
winbind-drop-privs.patch

Would this patch be OK from the security pov?

------- Comment #7 From Wolf Giesen (RETIRED) 2006-07-07 00:32:57 0000 ------- 
Looks ok to me. Any different POVs?

------- Comment #8 From Raphael Marichez 2006-07-07 00:49:14 0000 ------- 
> 
> Would this patch be OK from the security pov?
> 

it's OK for me

------- Comment #9 From Alin Năstac 2006-07-07 01:01:27 0000 ------- 
Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is
uploaded on our mirrors from dev.g.o:/space/distfiles-local).

The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have
winbind plugin.

------- Comment #10 From Raphael Marichez 2006-07-07 01:07:41 0000 ------- 
> Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is
> uploaded on our mirrors from dev.g.o:/space/distfiles-local).

good, thanks

> The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have
> winbind plugin.

there will be no glsa then; closing. Thank you for the fastness, Alin.
As usual, feel free to reopen if needed.