Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 139477

Summary: net-dialup/ppp setuid() issue (CVE-2006-2194)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: net-dialup
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ubuntu.com/usn/usn-310-1
Whiteboard: C1 [noglsa] Falco
Package list:
Runtime testing required: ---
Attachments:
Description Flags
winbind-drop-privs.patch none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-06 13:30:52 UTC 
Marcus Meissner discovered that the winbind plugin of pppd does not
check the result of the setuid() call. On systems that configure PAM
limits for the maximum number of user processes and enable the winbind
plugin, a local attacker could exploit this to execute the winbind
NTLM authentication helper as root. Depending on the local winbind
configuration, this could potentially lead to privilege escalation.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-06 15:06:23 UTC 
--> C because it does not affect the default conf (pam limits + winbind plugin)

--> *1 because there is a possible privilege escalation

i don't understand how CVE can reference ppp 2.4.4 as vulnerable, since from the officiel web site :

"ppp 2.4.3
The latest version of ppp is version 2.4.3, released on 14 November 2004."
http://samba.org/ppp/

--> setting to [upstream] status. Waiting.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-06 15:23:34 UTC 
C1 -> major, the policy says.
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2006-07-06 23:31:16 UTC 
I understand that patch available at http://lists.opensuse.org/archive/opensuse-commit/2006-Jun/0117.html fixes this problem. Btw, I find it strange that upstream wasn't informed about it.

Can someone enlighten me how could setuid(getuid()) be exploited? If the effective user is root, it will always succeed, isn't so?
Comment 4 Wolf Giesen (RETIRED) gentoo-dev 2006-07-06 23:34:34 UTC 
No, we had a couple of those lately. It's not guaranteed that you can drop privs. If user's process limit is exceeded, for example, dropping fails. If you don't check the return code, your code will run as root as opposed to the unprivileged user you wanted to change to.
Comment 5 Wolf Giesen (RETIRED) gentoo-dev 2006-07-06 23:37:47 UTC 
BTW, good reading IMHO: http://www.csl.sri.com/users/ddean/papers/usenix02.pdf
Comment 6 Alin Năstac (RETIRED) gentoo-dev 2006-07-07 00:11:48 UTC 
Created attachment 91097 [details, diff]
winbind-drop-privs.patch

Would this patch be OK from the security pov?
Comment 7 Wolf Giesen (RETIRED) gentoo-dev 2006-07-07 00:32:57 UTC 
Looks ok to me. Any different POVs?
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-07 00:49:14 UTC 
> 
> Would this patch be OK from the security pov?
> 

it's OK for me
Comment 9 Alin Năstac (RETIRED) gentoo-dev 2006-07-07 01:01:27 UTC 
Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is uploaded on our mirrors from dev.g.o:/space/distfiles-local).

The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have winbind plugin.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-07 01:07:41 UTC 
> Fixed in ppp-2.4.3-r16 (give it a couple of hours till patches tarball is
> uploaded on our mirrors from dev.g.o:/space/distfiles-local).

good, thanks

> The stable version (2.4.2-r15) isn't affected by this bug since it doesn't have
> winbind plugin.

there will be no glsa then; closing. Thank you for the fastness, Alin.
As usual, feel free to reopen if needed.