Subject: Caldera Security Advisory 96.03: Vulnerability in the dip program Caldera Security Advisory SA-96.03 July 8th, 1996 Topic: Vulnerability in the dip program I. Problem Description The dip program manages the connections needed for dial-up links such as SLIP and PPP. It can handle both incoming and outgoing connections. To gain access to resources it needs to establish these IP connections, the dip program is often installed as set-user-id root. A vulnerability in dip makes it possible to overflow an internal buffer whose value is under the control of the user of the dip program. If this buffer is overflowed with the appropriate data, a program such as a shell can be started. This program then runs with root permissions on the local machine. Exploitation scripts for dip have been found running on Linux systems for X86 hardware. Although exploitation scripts for other architectures and operating systems have not yet been found, we believe that they could be easily developed. II. Impact On systems such as CND 1.0 and Red Hat 2.1 that have dip installed set-user-id root, an unprivileged user can obtain root access. III. Solution / Workaround A simple workaround is to disable the SUID root bit: chmod 755 /usr/sbin/dip If you must run dip SUID root, place it in a group where it can only be executed by trusted users. CND 1.0 and Red Hat 2.1 shipped with dip-3.3.7n-2.i386.rpm. Version dip-3.3.7n-3.i386.rpm has the SUID root bit disabled and is available via FTP from: ftp://ftp.caldera.com/pub/cnd-1.0/updates/dip-3.3.7n-3.i386.rpm or the directory old-releases/redhat-2.1/i386/updates/RPMS from Red Hat or one of its mirror sites: ftp.redhat.com:/pub ftp.caldera.com:/pub/mirrors/redhat The MD5 checksum (from the "md5sum" command) for this RPM is: 3c94852a8fb636aa9b5407cae155e2ae dip-3.3.7n-3.i386.rpm Note that this problem was announced in January 1996. It has regained attention since CERT finally issued an advisory for this problem today. Code to exploit this problem has also been publicly reposted today. Another option (untested at Caldera) is to install dip-3.3.7o-4.i386.rpm found in the directory contrib/RPMS from Red Hat or one of its mirror sites. Its MD5 checksum is: cbd0005199be7038e2b09f70473d59ba dip-3.3.7o-4.i386.rpm Note that this RPM is in RPM 2.0 format and is not readily usable with CND 1.0. IV. References CERT advisories: ftp://info.cert.org/pub/cert_advisories/CA-96.13.README ftp://info.cert.org/pub/cert_advisories/CA-96.13.dip_vul This and other Caldera security resources: http://www.caldera.com/tech-ref/cnd-1.0/security/