Terminal hijacking via pppd

Summary
Description:pppd offers read/write access to any tty. This allows a man in the middle attack for trojan terminals as well as other mischief. Also it allows users to freely dial out with the modem (often not a good idea).
Author:David Neil <theoe@EUROPA.COM>
Compromise:Hijack terminals, dial arbitrary numbers with the modem, other mischief.
Vulnerable Systems:Those running pppd. Many linunx boxes, perhaps some BSD, solaris.
Date:15 November 1997
Details


Date: Sat, 15 Nov 1997 00:32:38 -0800
From: David Neil <theoe@EUROPA.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: pppd security hole Re: i386/344 (fwd)

---------- Forwarded message ----------
Date: Sat, 15 Nov 1997 00:28:41 -0800 (PST)
From: David Neil <theoe@europa.com>
To: Kenneth Stailey <kstailey@disclosure.com>
Cc: millert@cvs.openbsd.org, bugs@cvs.openbsd.org
Subject: pppd security hole Re: i386/344


On Fri, 14 Nov 1997, Kenneth Stailey wrote:

> > CLOCAL flag was not getting cleared after chat.  I just commited a fix.
>
> Hmm. Seems that with "local" in /etc/ppp/options and /dev/tty00 I also
> see that DTR does not cause pppd to get a SIGHUP.  I'll test again with
> the new code.


        Talking about chat, I've also noticed weird behaviour in chat
too(freezing my console!!!), and when investingating it I found a
"security" hole in pppd.  pppd is 4555(I could stop here, but it can be
useful:) I believe in standard distributions. Because it has an option
that specifies which chat script to execute(it changes UID=0 to your UID
before execing), you can replace it with, say, 'echo'.  Besides the fact
that any user can use the modem to dial out freely, pppd will give you
read/write access to any tty. The "security"  hole in this is that pppd
gives the possbility of a man in the middle attack of a tty.

attack:
        1)  Set your tty to the same settings of the tty you want
to take over.
        2)  Using `pppd /dev/XXXXX 9600(?) connect ./my-script'
present to the victim's tty a false login banner or a wrapper that spawns
a real login.
        3)  Remember that when your ./my-script is finished, pppd will
shit all over their screen.

any dumb system administrator will type their password...

Also, pppd is public domain, and lives around many other systems such as
slowaris, lamex, *bsd.  I don't know how pppd got its SUID bit, but it
doesn't need it.

Lates,
opus

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault