Bugtraq mailing list archives
pppd security hole Re: i386/344 (fwd)
From: theoe () EUROPA COM (David Neil)
Date: Sat, 15 Nov 1997 00:32:38 -0800
---------- Forwarded message ---------- Date: Sat, 15 Nov 1997 00:28:41 -0800 (PST) From: David Neil <theoe () europa com> To: Kenneth Stailey <kstailey () disclosure com> Cc: millert () cvs openbsd org, bugs () cvs openbsd org Subject: pppd security hole Re: i386/344 On Fri, 14 Nov 1997, Kenneth Stailey wrote:
CLOCAL flag was not getting cleared after chat. I just commited a fix.Hmm. Seems that with "local" in /etc/ppp/options and /dev/tty00 I also see that DTR does not cause pppd to get a SIGHUP. I'll test again with the new code.
Talking about chat, I've also noticed weird behaviour in chat too(freezing my console!!!), and when investingating it I found a "security" hole in pppd. pppd is 4555(I could stop here, but it can be useful:) I believe in standard distributions. Because it has an option that specifies which chat script to execute(it changes UID=0 to your UID before execing), you can replace it with, say, 'echo'. Besides the fact that any user can use the modem to dial out freely, pppd will give you read/write access to any tty. The "security" hole in this is that pppd gives the possbility of a man in the middle attack of a tty. attack: 1) Set your tty to the same settings of the tty you want to take over. 2) Using `pppd /dev/XXXXX 9600(?) connect ./my-script' present to the victim's tty a false login banner or a wrapper that spawns a real login. 3) Remember that when your ./my-script is finished, pppd will shit all over their screen. any dumb system administrator will type their password... Also, pppd is public domain, and lives around many other systems such as slowaris, lamex, *bsd. I don't know how pppd got its SUID bit, but it doesn't need it. Lates, opus
Current thread:
- pppd security hole Re: i386/344 (fwd) David Neil (Nov 15)
- Re: pppd security hole Re: i386/344 (fwd) Will Waites (Nov 17)