List Info

Thread: Re: *BSD user-ppp local root (when conditions permit)
Re: *BSD user-ppp local root (when conditions permit)
country flaguser name
Russian Federation		 2008-03-01 17:06:34 
Good day.

[Reposting this message to the freebsd-security from my
subscribed address.
Sorry for possible duplicates.]

Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherrgmail.com
wrote:
> I just tested this on FreeBSD 6.3. This bug was
discovered on NetBSD. It also works on OpenBSD (unconfirmed
on 4.2)
> 
> Steps to reproduce:
> 
> 1. Run ppp
> 
> 2. type the following (or atleat some variation of)
> 
>
~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
> 
> 
> 
> This will produce a segmentation violation (Core
dumped).

Yes, good catch: looks like stack-based buffer overflow. 
Also works
on FreeBSD 7.0.  Could you please test the following rough
patch --
it seem to cure the situation.  Although it is a bit late
for
today and I will recheck it more carefully tomorrow.

diff --git a/usr.sbin/ppp/systems.c
b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
 -82,6
+82,10  InterpretArg(const char *from, char *to)
     from++;
 
   while (*from != '') {
+    if (to >= endto) {
+	*endto = '';
+	return from;
+    }
     switch (*from) {
       case '"':
         instring = !instring;
 -97,6
+101,10  InterpretArg(const char *from, char *to)
             *to++ = '\';	/* Pass the escapes on, maybe
skipping # */
             break;
         }
+	if (to >= endto) {
+		*endto = '';
+		return from;
+	}
         *to++ = *from++;
         break;
       case '$':
 -127,6
+135,10  InterpretArg(const char *from, char *to)
             *ptr++ = *from;
           *ptr = '';
         }
+	if (to >= endto) {
+		*endto = '';
+		return from;
+	}
         if (*to == '')
           *to++ = '$';
         else if ((env = getenv(to)) != NULL) {
 -142,6
+154,10  InterpretArg(const char *from, char *to)
         if (len == 0)
           pwd = getpwuid(ID0realuid());
         else {
+	  if (to + len >= endto) {
+		*to = '';
+		return from;
+	  }
           strncpy(to, from, len);
           to[len] = '';
           pwd = getpwnam(to);

Thank you!
-- 
Eygene
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
Re: *BSD user-ppp local root (when conditions permit)
country flaguser name
Czech Republic		 2008-03-01 18:48:17 
Eygene Ryabinkin napsal/wrote, On 03/02/08 00:06:
>> 1. Run ppp
>> 2. type the following (or atleat some variation
of)
...

> Yes, good catch: looks like stack-based buffer
overflow

> Could you please test the following rough patch

It seems you are going to cut of part of line silently.

IMHO - the line shall be rejected as invalid at all or
warning needs to 
be issued at least ...

Someone may create so long line (unintentionally), it will
not work for 
him with no hint why - it's not so polite ...

				Dan
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
Re: *BSD user-ppp local root (when conditions permit)
country flaguser name
Russian Federation		 2008-03-02 00:11:44 
Me again.

Sun, Mar 02, 2008 at 02:06:34AM +0300, Eygene Ryabinkin
wrote:
> Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherrgmail.com
wrote:
> > I just tested this on FreeBSD 6.3. This bug was
discovered on NetBSD. It also works on OpenBSD (unconfirmed
on 4.2)
> > 
> > Steps to reproduce:
> > 
> > 1. Run ppp
> > 
> > 2. type the following (or atleat some variation
of)
> > 
> >
~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
> > 
> > 
> > 
> > This will produce a segmentation violation (Core
dumped).
> 
> Yes, good catch: looks like stack-based buffer
overflow.  Also works
> on FreeBSD 7.0.  Could you please test the following
rough patch --
> it seem to cure the situation.  Although it is a bit
late for
> today and I will recheck it more carefully tomorrow.

About the possible exploitation scenarios: I see two of them
in the
default FreeBSD installation, when ppp is setuid root and
permitted
to run only for root and the 'network' group.

a) Trusted users from the group 'network': interactive
privilege
   escalation and local root exploit.

b) Trusted users who can modify ppp's configuration files:
non-interactive
   escalation and local root exploit (remote root exploit in
the setups
   where some Web interface to the PPP configuration and
like exists).

Had I missed something?
-- 
Eygene
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )