|
Brought to you by:
Suppliers of:
|
|
|
| |
KPPP is "a dialer and front end for PPPd, allowing for interactive script generation and network setup".
Local exploitation of a privileged file descriptor leak in KPPP allows attackers to hijack a system's domain name resolution function. |
| |
Credit:
The information has been provided by idlabs-advisories.
The original article can be found at: http://www.idefense.com/application/poi/display?id=208&type=vulnerabilities
|
| |
Vulnerable Systems:
* KPPP 2.1.2 and prior.
* KDE 3.1.5 and prior
Immune Systems:
* KDE 3.2 and above.
The vulnerability specifically exists due to kppp's failure to properly close privileged file descriptors. Typically, KPPP is installed setuid root and uses privilege separation to allow only certain functions of the PPP dialer to execute with elevated privileges.
Communication between the privileged portion and non-privileged portion of kppp is done over a domain socket which does not properly close.
A fix for a similar vulnerability was introduced to the kppp code base in 1998 as can be seen below:
// close file descriptors
for (int fd = 3; fd < 20; fd++)
close(fd);
This fix may be easily bypassed if an attacker opens 17 file descriptors before executing kppp. The loop will execute, closing the previously opened file descriptors and leave the remaining privileged file descriptor used to talk to the privileged component of kppp open for attackers. KPPP may be abused to gain read and write access to /etc/hosts and /etc/resolv.conf, thus giving attackers complete control over a system's domain resolution capabilities.
Exploitation is trivial and allows an attacker to write to the two files typically providing the configuration for domain name resolution. Modifications of /etc/resolv.conf will allow the attacker to specify a malicious domain server which may return arbitrary responses to domain name lookups. Modifications to /etc/hosts will cause hostname resolution redirection without the need for an external domain server. This class of attack can be used to aid in phishing and social engineering attempts.
Workaround
temporarily remove the setuid bit from KPPP and manually gain root privileges before executing KPPP:
chmod -s /usr/sbin/kppp
Note that some Linux distributions which come with KPPP, such as Red Hat Linux, use a wrapper for executing X11 applications that require root privileges. This wrapper safely closes all file descriptors in the executed application.
Disclosure Timeline:
02/09/2005 - Initial vendor notification
02/09/2005 - Initial vendor response
02/28/2005 - Coordinated public disclosure
|
|
|
|
|
