pppd security hole Re: i386/344 (fwd)

David Neil (theoe@EUROPA.COM)
Sat, 15 Nov 1997 00:32:38 -0800

---------- Forwarded message ----------
Date: Sat, 15 Nov 1997 00:28:41 -0800 (PST)
From: David Neil <theoe@europa.com>
To: Kenneth Stailey <kstailey@disclosure.com>
Cc: millert@cvs.openbsd.org, bugs@cvs.openbsd.org
Subject: pppd security hole Re: i386/344

On Fri, 14 Nov 1997, Kenneth Stailey wrote:

> > CLOCAL flag was not getting cleared after chat. I just commited a fix.
>
> Hmm. Seems that with "local" in /etc/ppp/options and /dev/tty00 I also
> see that DTR does not cause pppd to get a SIGHUP. I'll test again with
> the new code.

Talking about chat, I've also noticed weird behaviour in chat
too(freezing my console!!!), and when investingating it I found a
"security" hole in pppd. pppd is 4555(I could stop here, but it can be
useful:) I believe in standard distributions. Because it has an option
that specifies which chat script to execute(it changes UID=0 to your UID
before execing), you can replace it with, say, 'echo'. Besides the fact
that any user can use the modem to dial out freely, pppd will give you
read/write access to any tty. The "security" hole in this is that pppd
gives the possbility of a man in the middle attack of a tty.

attack:
1) Set your tty to the same settings of the tty you want
to take over.
2) Using `pppd /dev/XXXXX 9600(?) connect ./my-script'
present to the victim's tty a false login banner or a wrapper that spawns
a real login.
3) Remember that when your ./my-script is finished, pppd will
shit all over their screen.

any dumb system administrator will type their password...

Also, pppd is public domain, and lives around many other systems such as
slowaris, lamex, *bsd. I don't know how pppd got its SUID bit, but it
doesn't need it.

Lates,
opus