CVE-2006-2194
CVSS7.2
发布时间 :2006-07-05 14:05:00
修订时间 :2010-04-02 03:43:46
NMCOPS    

[原文]The winbind plugin in pppd for ppp 2.4.4 and earlier does not check the return code from the setuid function call, which might allow local users to gain privileges by causing setuid to fail, such as exceeding PAM limits for the maximum number of user processes, which prevents the winbind NTLM authentication helper from dropping privileges.


[CNNVD]PPPD Winbind插件本地权限提升漏洞(CNNVD-200607-016)

        ppp(Paul's PPP Package)是一个开放源码的软件包,用于在Linux和Solaris系统上实现点对点协议。
        ppp对插件执行权限的控制上存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。
        pppd的winbind插件没有检查setuid()调用的结果。在对用户进程数配置了PAM限制且启用了winbind插件的系统上,本地攻击者可以利用这个漏洞以root权限执行winbind NTLM认证帮助程序,可能导致权限提升。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2194
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2194
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-016
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18849
(PATCH)  BID  18849
http://www.debian.org/security/2006/dsa-1106
(VENDOR_ADVISORY)  DEBIAN  DSA-1106
http://secunia.com/advisories/20996
(VENDOR_ADVISORY)  SECUNIA  20996
http://secunia.com/advisories/20987
(VENDOR_ADVISORY)  SECUNIA  20987
http://secunia.com/advisories/20967
(VENDOR_ADVISORY)  SECUNIA  20967
http://www.ubuntu.com/usn/usn-310-1
(UNKNOWN)  UBUNTU  USN-310-1
http://www.osvdb.org/26994
(UNKNOWN)  OSVDB  26994
http://secunia.com/advisories/20963
(UNKNOWN)  SECUNIA  20963
http://www.mandriva.com/security/advisories?name=MDKSA-2006:119
(UNKNOWN)  MANDRIVA  MDKSA-2006:119

- 漏洞信息

PPPD Winbind插件本地权限提升漏洞
高危 设计错误
2006-07-05 00:00:00 2006-07-21 00:00:00
本地  
        ppp(Paul's PPP Package)是一个开放源码的软件包,用于在Linux和Solaris系统上实现点对点协议。
        ppp对插件执行权限的控制上存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。
        pppd的winbind插件没有检查setuid()调用的结果。在对用户进程数配置了PAM限制且启用了winbind插件的系统上,本地攻击者可以利用这个漏洞以root权限执行winbind NTLM认证帮助程序,可能导致权限提升。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.samba.org/ppp/index.html

- 漏洞信息 (F49275)

Debian Linux Security Advisory 1150-1 (PacketStormID:F49275)
2006-08-27 00:00:00
Debian  debian.org
advisory
linux,debian
CVE-2006-2194
[点击下载]

Debian Security Advisory 1150-1 - A bug has been discovered in several packages that execute teh setuid() system call without checking for sucess when trying to drop privileges, which may fail with some PAM configurations.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1150-1                    security@debian.org
http://www.debian.org/security/                             Martin Schulze
August 12th, 2006                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : shadow
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE ID         : CVE-2006-2194
BugTraq ID     : 18849

A bug has been discovered in several packages that execute teh
setuid() system call without checking for sucess when trying to drop
privileges, which may fail with some PAM configurations.

For the stable distribution (sarge) this problem has been fixed in
version 4.0.3-31sarge8.

For the unstable distribution (sid) this problem has been fixed in
version 4.0.17-2.

We recommend that you upgrade your passwd package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3-31sarge8.dsc
      Size/MD5 checksum:      839 41bfb3755b2ce8757503ddacdc16ce2e
    http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3-31sarge8.diff.gz
      Size/MD5 checksum:  1319891 37ff81fdb6257fd5fbf0dac750994a17
    http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3.orig.tar.gz
      Size/MD5 checksum:  1045704 b52dfb2e5e8d9a4a2aae0ca1b266c513

  Alpha architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_alpha.deb
      Size/MD5 checksum:   592990 fc32b98aaa86270b24ffcbcc628c6b53
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_alpha.deb
      Size/MD5 checksum:   693290 df12c75d0cb8a4ed74cf3d9b9a42b544

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_amd64.deb
      Size/MD5 checksum:   583790 a6fa0e91cff19cce477ffa2ef9c15a51
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_amd64.deb
      Size/MD5 checksum:   598818 bd00af826eb416d84a806d3b85aae20a

  ARM architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_arm.deb
      Size/MD5 checksum:   573182 ff4ee5cfa0a41db6b0d3828b85791eb1
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_arm.deb
      Size/MD5 checksum:   524146 b3163af303b9325b8b3fbd17847d5510

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_i386.deb
      Size/MD5 checksum:   575962 da7d31edbc2ae8efa062efceb7412403
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_i386.deb
      Size/MD5 checksum:   528482 674bc0f5a55b5a9c089776946881912e

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_ia64.deb
      Size/MD5 checksum:   602812 6d5bf5529766f141197e06526ad89e03
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_ia64.deb
      Size/MD5 checksum:   757510 ee72e952ae6a72ad1bb43926736fc524

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_hppa.deb
      Size/MD5 checksum:   583126 6a6fe662ce9b70b105445287f7de8350
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_hppa.deb
      Size/MD5 checksum:   573358 52982450016009a1d105026df2ed9476

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_m68k.deb
      Size/MD5 checksum:   571880 95318dd38be1768f37870ef76772d468
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_m68k.deb
      Size/MD5 checksum:   512466 84bb5dfc7a00b48331d16135659ce4b1

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_mips.deb
      Size/MD5 checksum:   588494 9fe712af58492605236207221ca86cbf
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_mips.deb
      Size/MD5 checksum:   656588 bcc61369a7b7d26c0f2deae3fcea169b

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_mipsel.deb
      Size/MD5 checksum:   587674 9d4ab58720cbeff9e77ca5e543092cfd
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_mipsel.deb
      Size/MD5 checksum:   654250 1ddb102ea0773af194c5ac4198d91b14

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_powerpc.deb
      Size/MD5 checksum:   583558 43a88fc71b1d49d0fa369008f683bf6a
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_powerpc.deb
      Size/MD5 checksum:   565848 cb039cc1d7d3b3b2197336b246a005a4

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_s390.deb
      Size/MD5 checksum:   583082 d2bc93a93d9c8d558e9928267ebcbf36
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_s390.deb
      Size/MD5 checksum:   578882 983719b3c73ce360585e49a38ba2f2e1

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_sparc.deb
      Size/MD5 checksum:   575736 1d138fefdee9b5714f002ec0dd56b7f7
    http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_sparc.deb
      Size/MD5 checksum:   532128 96efe104eae8a228474a5d456c3b2907


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE3gbPW5ql+IAeqTIRArPYAJ9QDaWDHuyAKGFsNL/yD03gG+A8xgCfZqX3
mxXbCejE+IIPJ4zwU4GQyV8=
=sQR4
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F48179)

Mandriva Linux Security Advisory 2006.119 (PacketStormID:F48179)
2006-07-12 00:00:00
Mandriva  mandriva.com
advisory,local,root
linux,mandriva
CVE-2006-2194
[点击下载]

Mandriva Linux Security Advisory MDKSA-2006-119 - Marcus Meissner discovered that pppd's winbind plugin did not check for the result of the setuid() call which could allow an attacker to exploit this on systems with certain PAM limits enabled to execute the NTLM authentication helper as root. This could possibly lead to privilege escalation dependent upon the local winbind configuration.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                          MDKA-2006:119
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : ppp
 Date    : July 10, 2006
 Affected: 2006.0
 _______________________________________________________________________
 
 Problem Description:
 
 Marcus Meissner discovered that pppd's winbind plugin did not check for
 the result of the setuid() call which could allow an attacker to
 exploit this on systems with certain PAM limits enabled to execute the
 NTLM authentication helper as root.  This could possibly lead to
 privilege escalation dependant upon the local winbind configuration.
 
 Updated packages have been patched ot correct this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2194
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 75455046d94e92441bbe2e0e2b773082  2006.0/RPMS/ppp-2.4.3-9.1.20060mdk.i586.rpm
 f567cca02725deb575a8f13452234664  2006.0/RPMS/ppp-devel-2.4.3-9.1.20060mdk.i586.rpm
 8872f55ecea3ba6e001c4bca4972199e  2006.0/RPMS/ppp-dhcp-2.4.3-9.1.20060mdk.i586.rpm
 a741c885635d908b200a1bf60232b71f  2006.0/RPMS/ppp-pppoatm-2.4.3-9.1.20060mdk.i586.rpm
 058a637fd471f0a4f2791fbbfe2f763b  2006.0/RPMS/ppp-pppoe-2.4.3-9.1.20060mdk.i586.rpm
 3e0a3e901f9cab4fa879fec18fb6ac92  2006.0/RPMS/ppp-prompt-2.4.3-9.1.20060mdk.i586.rpm
 b2ed30cae68e544fc63c794742577f1a  2006.0/RPMS/ppp-radius-2.4.3-9.1.20060mdk.i586.rpm
 2578865b6af5300d3027aa62eaa1466b  2006.0/SRPMS/ppp-2.4.3-9.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 b00f91f85a11f75dfb3a038a15fee3e5  x86_64/2006.0/RPMS/ppp-2.4.3-9.1.20060mdk.x86_64.rpm
 63c00cf07b9b2729e4820fb270372800  x86_64/2006.0/RPMS/ppp-devel-2.4.3-9.1.20060mdk.x86_64.rpm
 90fe962badb7773bc747b2a595c42e2e  x86_64/2006.0/RPMS/ppp-dhcp-2.4.3-9.1.20060mdk.x86_64.rpm
 24074e562bef8364308931f71cd66644  x86_64/2006.0/RPMS/ppp-pppoatm-2.4.3-9.1.20060mdk.x86_64.rpm
 cf3ec260bf90e2b086fa02d4267bc5c2  x86_64/2006.0/RPMS/ppp-pppoe-2.4.3-9.1.20060mdk.x86_64.rpm
 5455b8bd4daf610893ff36031ead5167  x86_64/2006.0/RPMS/ppp-prompt-2.4.3-9.1.20060mdk.x86_64.rpm
 2dcb7f91af4fddeec7b83b396cd4d7f0  x86_64/2006.0/RPMS/ppp-radius-2.4.3-9.1.20060mdk.x86_64.rpm
 2578865b6af5300d3027aa62eaa1466b  x86_64/2006.0/SRPMS/ppp-2.4.3-9.1.20060mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEswtAmqjQ0CJFipgRAjifAKDKvH8Gv/mS+pooTMJbQb7KN3Di7wCg9pmY
F1TbQTxk905x7K8bqg0ddi0=
=y43d
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F48167)

Debian Linux Security Advisory 1106-1 (PacketStormID:F48167)
2006-07-12 00:00:00
Debian  debian.org
advisory
linux,debian
CVE-2006-2194
[点击下载]

Debian Security Advisory 1106-1 - Marcus Meissner discovered that the winbind plugin in pppd does not check whether a setuid() call has been successful when trying to drop privileges, which may fail with some PAM configurations.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1106-1                    security@debian.org
http://www.debian.org/security/                             Martin Schulze
July 10th, 2006                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : ppp
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE ID         : CVE-2006-2194

Marcus Meissner discovered that the winbind plugin in pppd does not
check whether a setuid() call has been successful when trying to drop
privileges, which may fail with some PAM configurations.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 2.4.3-20050321+2sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.4.4rel-1.

We recommend that you upgrade your ppp package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1.dsc
      Size/MD5 checksum:      633 1b8f1f8da7cf7b56c2c6e13e2072167d
    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1.diff.gz
      Size/MD5 checksum:    83359 1fd6996f800c3d323b159ca5ab587712
    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3.orig.tar.gz
      Size/MD5 checksum:   697459 0537b03fb51cbb847290abdbb765cb93

  Architecture independent components:

    http://security.debian.org/pool/updates/main/p/ppp/ppp-dev_2.4.3-20050321+2sarge1_all.deb
      Size/MD5 checksum:    32072 77bab82e596987e60908f19c27bceeb6

  Alpha architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_alpha.deb
      Size/MD5 checksum:   393308 5f90be499af49912e7074c26979037db

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_amd64.deb
      Size/MD5 checksum:   346172 ae546c9f5f4f0bc2fdebab8858c93731

  ARM architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_arm.deb
      Size/MD5 checksum:   326134 aab781148123790027eb4bf114cc8df9

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_i386.deb
      Size/MD5 checksum:   324274 759537119b8680ed4e27ae09a52a65aa

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_ia64.deb
      Size/MD5 checksum:   437432 8a0acb4779046622af9c27a6307fa305

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_hppa.deb
      Size/MD5 checksum:   357572 5c415d1e9a6e31fdb01b2eb7f8f1065f

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_m68k.deb
      Size/MD5 checksum:   305432 4e7f194f247899a3d20280eca53e41ba

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_mips.deb
      Size/MD5 checksum:   348852 aca3c70a1be8c013a48e6d939ebe036a

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_mipsel.deb
      Size/MD5 checksum:   351084 7cd743087a4155ff0d9e8085cbee7dbf

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_powerpc.deb
      Size/MD5 checksum:   351188 60f69689787965812f891df34371600a

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_s390.deb
      Size/MD5 checksum:   343302 65648a90f1ab9abb71121ceeb9bb98a5

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_sparc.deb
      Size/MD5 checksum:   329684 1df0e5a6621da5344bdb91a1fd4eef3e


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEsfHjW5ql+IAeqTIRAkTfAKCLnv7ChQkOQEADsnOb2DN62EYSPACfQuEe
tlTFWEenK/Md71yip8pQWEA=
=Rb17
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F48077)

Ubuntu Security Notice 310-1 (PacketStormID:F48077)
2006-07-09 00:00:00
Ubuntu  security.ubuntu.com
advisory,local,root
linux,ubuntu
CVE-2006-2194
[点击下载]

Ubuntu Security Notice 310-1: Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation.

=========================================================== 
Ubuntu Security Notice USN-310-1              July 05, 2006
ppp vulnerability
CVE-2006-2194
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  ppp                            2.4.3-20050321+2ubuntu1.1
  ppp-dev                        2.4.3-20050321+2ubuntu1.1
  ppp-udeb                       2.4.3-20050321+2ubuntu1.1

Ubuntu 6.06 LTS:
  ppp                            2.4.4b1-1ubuntu3.1
  ppp-dev                        2.4.4b1-1ubuntu3.1
  ppp-udeb                       2.4.4b1-1ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Marcus Meissner discovered that the winbind plugin of pppd does not
check the result of the setuid() call. On systems that configure PAM
limits for the maximum number of user processes and enable the winbind
plugin, a local attacker could exploit this to execute the winbind
NTLM authentication helper as root. Depending on the local winbind
configuration, this could potentially lead to privilege escalation.


Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.3-20050321+2ubuntu1.1.diff.gz
      Size/MD5:    84735 b936bb967b2bf26bb8e894b52b56f567
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.3-20050321+2ubuntu1.1.dsc
      Size/MD5:      639 6fa315e3b2b44a005b1884f8e1d84838
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.3.orig.tar.gz
      Size/MD5:   697459 0537b03fb51cbb847290abdbb765cb93

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-dev_2.4.3-20050321+2ubuntu1.1_all.deb
      Size/MD5:    33168 6a580e1ea142bee104cddd5593ee5bc5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-udeb_2.4.3-20050321+2ubuntu1.1_amd64.udeb
      Size/MD5:   112486 498b0a9fea2370c8f0419ef14016d499
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.3-20050321+2ubuntu1.1_amd64.deb
      Size/MD5:   349850 35c4edac3178de4ed6ee4a623b97e8bc

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-udeb_2.4.3-20050321+2ubuntu1.1_i386.udeb
      Size/MD5:    97874 5d1663cab583200aa383f63756166351
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.3-20050321+2ubuntu1.1_i386.deb
      Size/MD5:   321080 134ca18479227697f4dc4d4276126141

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-udeb_2.4.3-20050321+2ubuntu1.1_powerpc.udeb
      Size/MD5:   108914 6bcb2e66fb0473fe915239f472b3fa9c
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.3-20050321+2ubuntu1.1_powerpc.deb
      Size/MD5:   353924 5d79faafa8d39f06bbe73783cfb23db1

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-udeb_2.4.3-20050321+2ubuntu1.1_sparc.udeb
      Size/MD5:   104752 fc65ef96139e0bd2979f66242f6dfe77
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.3-20050321+2ubuntu1.1_sparc.deb
      Size/MD5:   330712 040cf743a30e66034a10b8b66f6a30d1

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.4b1-1ubuntu3.1.diff.gz
      Size/MD5:    95380 960ab46e30e78b50eb793e6f00be5823
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.4b1-1ubuntu3.1.dsc
      Size/MD5:      629 8a2a372fa53360752970fbd3340cc419
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.4b1.orig.tar.gz
      Size/MD5:   688912 7b08b62bcf99f1c7818fc5a622293f4c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-dev_2.4.4b1-1ubuntu3.1_all.deb
      Size/MD5:    46294 3f2cc28495b02b0976d347bdff4e5a45

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-udeb_2.4.4b1-1ubuntu3.1_amd64.udeb
      Size/MD5:   112360 7e5d4ead7131dc1b1dfb317e69356c2e
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.4b1-1ubuntu3.1_amd64.deb
      Size/MD5:   351104 bd3155b620f2b9c4788633c84cfcb0d1

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-udeb_2.4.4b1-1ubuntu3.1_i386.udeb
      Size/MD5:    97278 a1635198ecb4b5ece2a3bdd147aa15bf
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.4b1-1ubuntu3.1_i386.deb
      Size/MD5:   321536 a7c6a20067db8e81d8f6115f7d8d6fda

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-udeb_2.4.4b1-1ubuntu3.1_powerpc.udeb
      Size/MD5:   108676 4d0ea9a15f26f072579649a63b9a7d9b
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.4b1-1ubuntu3.1_powerpc.deb
      Size/MD5:   355236 be6f4d51fb7e7ababa47bdfded4c3017

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp-udeb_2.4.4b1-1ubuntu3.1_sparc.udeb
      Size/MD5:   105096 5b63ea053b50bdfd166366e35a5dde1c
    http://security.ubuntu.com/ubuntu/pool/main/p/ppp/ppp_2.4.4b1-1ubuntu3.1_sparc.deb
      Size/MD5:   330520 5aff30484a738f2697086c184da2eb31

    

- 漏洞信息

26994
ppp Winbind Plugin setuid Failure Local Privilege Escalation
Local Access Required Other
Loss of Confidentiality, Loss of Integrity
Exploit Unknown

- 漏洞描述

ppp Winbind Plugin contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the Winbind Plugin fails check the result of 'setuid' call . This flaw may lead to a loss of confidentiality and integrity.

- 时间线

2006-07-05 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.4.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

PPPD Winbind Plugin Local Privilege Escalation Vulnerability
Design Error 18849
No Yes
2006-07-06 12:00:00 2006-10-11 06:54:00
Marcus Meissner discovered this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 sparc
Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Paul Mackerras PPPD 2.4.3
Paul Mackerras PPPD 2.4.4b1
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1

- 漏洞讨论

The 'winbind' plugin of 'pppd' can allow local attackers to gain elevated privileges, which may lead to a complete compromise.

Version 2.4.3 of 'pppd' is reported vulnerable. Other versions may be affected as well.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com.

Please see the references for vendor advisories and more information.


Paul Mackerras PPPD 2.4.4b1

Paul Mackerras PPPD 2.4.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站