Bug 64035 (CVE-2004-0564)

Summary: VUL-0: CVE-2004-0564: privilege escalation in pppoe
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Ludwig Nussel <lnussel>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0564: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2004-12-08 18:18:07 UTC 
We received the following report via vendor-sec.
The issue is public.

Date: Tue, 28 Sep 2004 20:10:47 -0700
From: Matt Zimmerman <mdz@debian.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0564 privilege escalation in pppoe

Affects any of you who have a privileged /usr/sbin/pppoe from rp-pppoe.
CAN-2004-0564

----- Forwarded message from Max Vozeler <max@hinterhof.net> -----

Date: Tue, 28 Sep 2004 22:50:24 +0200
From: Max Vozeler <max@hinterhof.net>
To: Christian Hudon <chrish@debian.org>, team@security.debian.org
Subject: pppoe: local privilege escalation

Hi Chris,

there is a nasty side effect to pppoe having set-user-ID root in
testing/unstable (3.5-3): Users in group dip can trick /usr/sbin/pppoe
into creating root-owned mode 777 files anywhere in the filesystem.

  $ id
  uid=1002(user) gid=1002(user) groups=1002(user),30(dip)
  
  $ umask 0
  $ /usr/sbin/pppoe -p /etc/cron.d/owned
  <ctrl>-\
  Quit

  $ ls -l /etc/cron.d/owned
  -rw-rw-rw-  1 root user 4 Sep 28 22:18 /etc/cron.d/owned

The affected options are -p <pidfile> and -D <debugfile>. If users don't
normally need to specify these, maybe it could just ignore them unless
the caller is root. Attached is a patch which does this and which should
prevent the exploit. (for pppoe 3.5-3)


The README.Debian in ppp or kppp and probably other places encourages
people to use group dip for controlling PPP access. I remember doing
this myself when I needed pon to work as unprivileged user.

Cheers,
Max

-- 
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC

--- pppoe.c-orig	2004-09-28 16:23:16.000000000 +0200
+++ pppoe.c	2004-09-28 16:30:30.000000000 +0200
 	    break;
 
 	case 'p':
-	    pidfile = fopen(optarg, "w");
-	    if (pidfile) {
-		fprintf(pidfile, "%lu\n", (unsigned long) getpid());
-		fclose(pidfile);
-	    }
+            if (getuid() == 0) {
+                pidfile = fopen(optarg, "w");
+                if (pidfile) {
+                    fprintf(pidfile, "%lu\n", (unsigned long) getpid());
+                    fclose(pidfile);
+                }
+            } else
+                fprintf(stderr, "Ignored option -p: needs root privileges.\n");
 	    break;
 	case 'S':
 	    SET_STRING(conn.serviceName, optarg);
 	    conn.useHostUniq = 1;
 	    break;
 	case 'D':
-	    conn.debugFile = fopen(optarg, "w");
-	    if (!conn.debugFile) {
-		fprintf(stderr, "Could not open %s: %s\n",
-			optarg, strerror(errno));
-		exit(EXIT_FAILURE);
-	    }
-	    fprintf(conn.debugFile, "rp-pppoe-%s\n", VERSION);
-	    fflush(conn.debugFile);
+            if (getuid() == 0) {
+                conn.debugFile = fopen(optarg, "w");
+                if (!conn.debugFile) {
+                    fprintf(stderr, "Could not open %s: %s\n",
+                            optarg, strerror(errno));
+                    exit(EXIT_FAILURE);
+                }
+                fprintf(conn.debugFile, "rp-pppoe-%s\n", VERSION);
+                fflush(conn.debugFile);
+            } else
+                fprintf(stderr, "Ignored option -D: needs root privileges.\n");
 	    break;
 	case 'T':
 	    optInactivityTimeout = (int) strtol(optarg, NULL, 10);


----- End forwarded message -----
Comment 1 Ludwig Nussel 2004-12-08 18:35:05 UTC 
this is just a reminder. We don't have it setuid.
Comment 2 Thomas Biege 2009-10-13 20:02:57 UTC 
CVE-2004-0564: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)