Subject: NetBSD Security Advisory 2002-010: symlink race in pppd
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: current-users
Date: 09/17/2002 12:08:53
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-010
		 =================================

Topic:		symlink race in pppd

Version:	NetBSD-current:	 source prior to July 31, 2002
		NetBSD-1.6 beta: affected
		NetBSD-1.5.3:	 affected
		NetBSD-1.5.2:	 affected
		NetBSD-1.5.1:	 affected
		NetBSD-1.5:	 affected
		NetBSD-1.4.*:	 affected

Severity:       Local user may be able to modify permissions on any file

Fixed:		NetBSD-current:		July 31, 2002
		NetBSD-1.6 branch:	August 3, 2002
					(NetBSD 1.6 includes the fix)
		NetBSD-1.5 branch:	September 5, 2002
		NetBSD-1.4 branch:	not yet


Abstract
========

A race condition exists in the pppd program that may be exploited
in order to change the permissions of an arbitrary file.

A malicious local user may exploit the race condition to acquire write
permissions to a critical system file, and leverage the situation to
acquire escalated privileges.


Technical Details
=================

The file specified as the tty device is opened by pppd, and the
permissions are recorded.  If pppd fails to initialize the tty
device in some way (such as a failure of tcgetattr(3)), then pppd
will attempt to restore the original permissions by calling chmod(2).
The call to chmod(2) is subject to a symlink race, so that the
permissions may be `restored' on some other file.


Solutions and Workarounds
=========================

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

Otherwise, the following instructions describe how to upgrade your
pppd binaries by updating your source tree and rebuilding and
installing a new version of pppd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-07-30
	should be upgraded to NetBSD-current dated 2002-07-31 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		usr.sbin/pppd

	To update from CVS, re-build, and re-install pppd:
		# cd src
		# cvs update -d -P usr.sbin/pppd

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-04 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		usr.sbin/pppd

	To update from CVS, re-build, and re-install pppd:
		# cd src
		# cvs update -d -P -r netbsd-1-6 usr.sbin/pppd

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5 dated from before 2002-09-05 should
	be upgraded to NetBSD 1.5 branch dated 2002-09-05 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		usr.sbin/pppd

	To update from CVS, re-build, and re-install pppd:
		# cd src
		# cvs update -d -P -r netbsd-1-5 usr.sbin/pppd

		# cd usr.sbin/pppd
		# make cleandir dependall
		# make install


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	The advisory will be updated to include instructions to remedy
	this problem for systems running the NetBSD-1.4 branch.



Thanks To
=========

Jun-ichiro itojun Hagino for patches, and preparing the advisory text.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-08-01	Initial release
	2002-09-05	1.5 fixed
	2002-09-16	Re-release with updated information


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-010.txt,v 1.15 2002/09/16 05:17:55 dan Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqFT5Ru2/4N2IFAQGWDwQAodZpv2grHbPZPoIdUmlhRVp46pRnZTH7
jXUvVNLAbqQYTb08ICChzTF2IIjkvOySNLXvBeynNEMTmYeFh+HZwdrofr/+Wgcc
DBgX3BnCHgeRkJbKTDXjPmMKB+EP86H9o4yYz0pSKNVNRg7GgeJtM1zOLwlmX1NE
nj8huZwPs7c=
=7Lza
-----END PGP SIGNATURE-----