Bugtraq mailing list archives
Re: pppd security hole Re: i386/344 (fwd)
From: ww () STYX ORG (Will Waites)
Date: Mon, 17 Nov 1997 16:37:59 -0500
"David" == David Neil <theoe () EUROPA COM> writes:
David> Also, pppd is public domain, and lives around many other David> systems such as slowaris, lamex, *bsd. I don't know how David> pppd got its SUID bit, but it doesn't need it. Indeed it does - pppd needs to (1) create a network interface and (2) possibly modify the kernel's routing table. To do both of these, superuser priveleges are required. However it is true that pppd handles its priveleges sloppily - i.e. it should not be running with uid 0 when it is accessing the ttys, only when it needs to do some privileged system calls. I haven't looked at the source for pppd, but since it reads a *lot* of different parameters from its config file(s), it seems likely that there might be some buffer overflow problems. Has anyone looked into this? Cheers, Will -- ////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ Will Waites || NIC Handle: WW1310 ww () styx org || -----------------------------------||----------------------------------- key ID = 2048/1CA68339 || Public key at pgp.ai.mit.edu fingerprint = DA BE BD 7E 65 CD A3 3F E2 5D 66 0A 8D 9E 41 FD ------------------------------------------------------------------------ "If that makes any sense to you, you have a big problem" -- C. Durance \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\////////////////////////////////////
Current thread:
- pppd security hole Re: i386/344 (fwd) David Neil (Nov 15)
- Re: pppd security hole Re: i386/344 (fwd) Will Waites (Nov 17)