Vulnerabilities > CVE-2006-2194 - Local Privilege Escalation vulnerability in PPPD Winbind Plugin
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The winbind plugin in pppd for ppp 2.4.4 and earlier does not check the return code from the setuid function call, which might allow local users to gain privileges by causing setuid to fail, such as exceeding PAM limits for the maximum number of user processes, which prevents the winbind NTLM authentication helper from dropping privileges.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1106.NASL description Marcus Meissner discovered that the winbind plugin in pppd does not check whether a setuid() call has been successful when trying to drop privileges, which may fail with some PAM configurations. last seen 2020-06-01 modified 2020-06-02 plugin id 22648 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22648 title Debian DSA-1106-1 : ppp - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1106. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22648); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-2194"); script_xref(name:"DSA", value:"1106"); script_name(english:"Debian DSA-1106-1 : ppp - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Marcus Meissner discovered that the winbind plugin in pppd does not check whether a setuid() call has been successful when trying to drop privileges, which may fail with some PAM configurations." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1106" ); script_set_attribute( attribute:"solution", value: "Upgrade the ppp package. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 2.4.3-20050321+2sarge1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ppp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/07/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"ppp", reference:"2.4.3-20050321+2sarge1")) flag++; if (deb_check(release:"3.1", prefix:"ppp-dev", reference:"2.4.3-20050321+2sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-310-1.NASL description Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27885 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27885 title Ubuntu 5.10 / 6.06 LTS : ppp vulnerability (USN-310-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-310-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(27885); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:01"); script_cve_id("CVE-2006-2194"); script_xref(name:"USN", value:"310-1"); script_name(english:"Ubuntu 5.10 / 6.06 LTS : ppp vulnerability (USN-310-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Marcus Meissner discovered that the winbind plugin of pppd does not check the result of the setuid() call. On systems that configure PAM limits for the maximum number of user processes and enable the winbind plugin, a local attacker could exploit this to execute the winbind NTLM authentication helper as root. Depending on the local winbind configuration, this could potentially lead to privilege escalation. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/310-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected ppp, ppp-dev and / or ppp-udeb packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ppp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ppp-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ppp-udeb"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(5\.10|6\.06)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.10 / 6.06", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"5.10", pkgname:"ppp", pkgver:"2.4.3-20050321+2ubuntu1.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"ppp-dev", pkgver:"2.4.3-20050321+2ubuntu1.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"ppp-udeb", pkgver:"2.4.3-20050321+2ubuntu1.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"ppp", pkgver:"2.4.4b1-1ubuntu3.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"ppp-dev", pkgver:"2.4.4b1-1ubuntu3.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"ppp-udeb", pkgver:"2.4.4b1-1ubuntu3.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ppp / ppp-dev / ppp-udeb"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-119.NASL description Marcus Meissner discovered that pppd last seen 2020-06-01 modified 2020-06-02 plugin id 22019 published 2006-07-11 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22019 title Mandrake Linux Security Advisory : ppp (MDKSA-2006:119) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:119. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(22019); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2006-2194"); script_xref(name:"MDKSA", value:"2006:119"); script_name(english:"Mandrake Linux Security Advisory : ppp (MDKSA-2006:119)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Marcus Meissner discovered that pppd's winbind plugin did not check for the result of the setuid() call which could allow an attacker to exploit this on systems with certain PAM limits enabled to execute the NTLM authentication helper as root. This could possibly lead to privilege escalation dependent upon the local winbind configuration. Updated packages have been patched ot correct this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ppp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ppp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ppp-dhcp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ppp-pppoatm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ppp-pppoe"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ppp-prompt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ppp-radius"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"patch_publication_date", value:"2006/07/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", reference:"ppp-2.4.3-9.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"ppp-devel-2.4.3-9.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"ppp-dhcp-2.4.3-9.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"ppp-pppoatm-2.4.3-9.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"ppp-pppoe-2.4.3-9.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"ppp-prompt-2.4.3-9.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"ppp-radius-2.4.3-9.1.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 18849 CVE(CAN) ID: CVE-2006-2194 ppp(Paul's PPP Package)是一个开放源码的软件包,用于在Linux和Solaris系统上实现点对点协议。 ppp对插件执行权限的控制上存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。 pppd的winbind插件没有检查setuid()调用的结果。在对用户进程数配置了PAM限制且启用了winbind插件的系统上,本地攻击者可以利用这个漏洞以root权限执行winbind NTLM认证帮助程序,可能导致权限提升。 Ubuntu Linux 6.06 LTS powerpc Ubuntu Linux 6.06 LTS i386 Ubuntu Linux 6.06 LTS amd64 Ubuntu Linux 5.10 powerpc Ubuntu Linux 5.10 i386 Ubuntu Linux 5.10 amd64 Paul Mackerras PPPD 2.4.3 Paul Mackerras -------------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.samba.org/ppp/index.html target=_blank>http://www.samba.org/ppp/index.html</a> |
| id | SSV:2692 |
| last seen | 2017-11-19 |
| modified | 2007-12-26 |
| published | 2007-12-26 |
| reporter | Root |
| title | PPPD Winbind插件本地权限提升漏洞 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2006-08-16 |
| organization | Red Hat |
| statement | Not vulnerable. The winbind plugin is not shipped with Red Hat Enterprise Linux 2.1, 3, or 4. |
References
- http://secunia.com/advisories/20963
- http://secunia.com/advisories/20967
- http://secunia.com/advisories/20987
- http://secunia.com/advisories/20996
- http://www.debian.org/security/2006/dsa-1106
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:119
- http://www.osvdb.org/26994
- http://www.securityfocus.com/bid/18849
- http://www.ubuntu.com/usn/usn-310-1