COMMAND

    pppd

SYSTEMS AFFECTED

    Many systems running pppd

PROBLEM

    David Neil posted  following.  There  is conditions when  chat can
    freez your  console. Investingation  showed a  "security" hole  in
    pppd.   pppd  is  4555.  It  is  believed  that's  the case in all
    standard distributions.  Because  it has an option  that specifies
    which chat script to execute (it changes UID=0 to your UID  before
    execing), you can replace it with, say, 'echo'.  Besides the  fact
    that any user can use the modem to dial out freely, pppd will give
    you read/write access to any tty. The "security"  hole in this  is
    that pppd gives the possbility of a man in the middle attack of  a
    tty.  Attack should go like this:

        1) Set your tty  to the same settings  of the tty you  want to
           take over.
        2) Using `pppd /dev/XXXXX 9600(?) connect ./my-script' present
           to the victim's tty a false login banner or a wrapper  that
           spawns a real login.
        3) Remember that when your ./my-script is finished, pppd  will
           shit all over their screen.

    Needless to  say, any  dumb system  administrator will  type their
    password...

SOLUTION

    Remove suid bit form pppd.  This will cause some problems in  work
    of course  because pppd  needs to  create a  network interface and
    possibly modify the kernel's routing  table. To do both of  these,
    superuser priveleges are  required. However it  is true that  pppd
    handles its priveleges  sloppily - i.e.  it should not  be running
    with uid 0 when  it is accessing the  ttys, only when it  needs to
    do some privileged system calls.