We received the following report via vendor-sec.
The issue is public.

Date: Tue, 28 Sep 2004 20:10:47 -0700
From: Matt Zimmerman <mdz@debian.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0564 privilege escalation in pppoe

Affects any of you who have a privileged /usr/sbin/pppoe from rp-pppoe.
CAN-2004-0564

----- Forwarded message from Max Vozeler <max@hinterhof.net> -----

Date: Tue, 28 Sep 2004 22:50:24 +0200
From: Max Vozeler <max@hinterhof.net>
To: Christian Hudon <chrish@debian.org>, team@security.debian.org
Subject: pppoe: local privilege escalation

Hi Chris,

there is a nasty side effect to pppoe having set-user-ID root in
testing/unstable (3.5-3): Users in group dip can trick /usr/sbin/pppoe
into creating root-owned mode 777 files anywhere in the filesystem.

  $ id
  uid=1002(user) gid=1002(user) groups=1002(user),30(dip)
  
  $ umask 0
  $ /usr/sbin/pppoe -p /etc/cron.d/owned
  <ctrl>-\
  Quit

  $ ls -l /etc/cron.d/owned
  -rw-rw-rw-  1 root user 4 Sep 28 22:18 /etc/cron.d/owned

The affected options are -p <pidfile> and -D <debugfile>. If users don't
normally need to specify these, maybe it could just ignore them unless
the caller is root. Attached is a patch which does this and which should
prevent the exploit. (for pppoe 3.5-3)


The README.Debian in ppp or kppp and probably other places encourages
people to use group dip for controlling PPP access. I remember doing
this myself when I needed pon to work as unprivileged user.

Cheers,
Max

-- 
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC

--- pppoe.c-orig	2004-09-28 16:23:16.000000000 +0200
+++ pppoe.c	2004-09-28 16:30:30.000000000 +0200
 	    break;
 
 	case 'p':
-	    pidfile = fopen(optarg, "w");
-	    if (pidfile) {
-		fprintf(pidfile, "%lu\n", (unsigned long) getpid());
-		fclose(pidfile);
-	    }
+            if (getuid() == 0) {
+                pidfile = fopen(optarg, "w");
+                if (pidfile) {
+                    fprintf(pidfile, "%lu\n", (unsigned long) getpid());
+                    fclose(pidfile);
+                }
+            } else
+                fprintf(stderr, "Ignored option -p: needs root privileges.\n");
 	    break;
 	case 'S':
 	    SET_STRING(conn.serviceName, optarg);
 	    conn.useHostUniq = 1;
 	    break;
 	case 'D':
-	    conn.debugFile = fopen(optarg, "w");
-	    if (!conn.debugFile) {
-		fprintf(stderr, "Could not open %s: %s\n",
-			optarg, strerror(errno));
-		exit(EXIT_FAILURE);
-	    }
-	    fprintf(conn.debugFile, "rp-pppoe-%s\n", VERSION);
-	    fflush(conn.debugFile);
+            if (getuid() == 0) {
+                conn.debugFile = fopen(optarg, "w");
+                if (!conn.debugFile) {
+                    fprintf(stderr, "Could not open %s: %s\n",
+                            optarg, strerror(errno));
+                    exit(EXIT_FAILURE);
+                }
+                fprintf(conn.debugFile, "rp-pppoe-%s\n", VERSION);
+                fflush(conn.debugFile);
+            } else
+                fprintf(stderr, "Ignored option -D: needs root privileges.\n");
 	    break;
 	case 'T':
 	    optInactivityTimeout = (int) strtol(optarg, NULL, 10);


----- End forwarded message -----