Subject: Caldera Security Advisory 96.03: Vulnerability in the dip program

Caldera Security Advisory SA-96.03
July 8th, 1996

Topic: Vulnerability in the dip program

I. Problem Description

	The dip program manages the connections needed for dial-up
	links such as SLIP and PPP. It can handle both incoming and
	outgoing connections.  To gain access to resources it needs to
	establish these IP connections, the dip program is often installed
	as set-user-id root.

	A vulnerability in dip makes it possible to overflow an internal
	buffer whose value is under the control of the user of the dip
	program. If this buffer is overflowed with the appropriate data,
	a program such as a shell can be started. This program then runs
	with root permissions on the local machine.

	Exploitation scripts for dip have been found running on Linux
	systems for X86 hardware. Although exploitation scripts for other
	architectures and operating systems have not yet been found,
	we believe that they could be easily developed.

II. Impact

	On systems such as CND 1.0 and Red Hat 2.1 that have dip installed
	set-user-id root, an unprivileged user can obtain root access.

III. Solution / Workaround

	A simple workaround is to disable the SUID root bit:

		chmod 755 /usr/sbin/dip

	If you must run dip SUID root, place it in a group where it can
	only be executed by trusted users.

	CND 1.0 and Red Hat 2.1 shipped with dip-3.3.7n-2.i386.rpm.  Version
	dip-3.3.7n-3.i386.rpm has the SUID root bit disabled and is available
	via FTP from:

		ftp://ftp.caldera.com/pub/cnd-1.0/updates/dip-3.3.7n-3.i386.rpm

	or the directory

		old-releases/redhat-2.1/i386/updates/RPMS

	from Red Hat or one of its mirror sites:

		ftp.redhat.com:/pub
		ftp.caldera.com:/pub/mirrors/redhat

	The MD5 checksum (from the "md5sum" command) for this RPM is:

		3c94852a8fb636aa9b5407cae155e2ae  dip-3.3.7n-3.i386.rpm

	Note that this problem was announced in January 1996.  It has regained
	attention since CERT finally issued an advisory for this problem
	today.  Code to exploit this problem has also been publicly
	reposted today.

	Another option (untested at Caldera) is to install
	
		dip-3.3.7o-4.i386.rpm
	
	found in the directory

		contrib/RPMS
	
	from Red Hat or one of its mirror sites.  Its MD5 checksum is:

		cbd0005199be7038e2b09f70473d59ba  dip-3.3.7o-4.i386.rpm
	
	Note that this RPM is in RPM 2.0 format and is not readily usable
	with CND 1.0.

IV. References

	CERT advisories:

		ftp://info.cert.org/pub/cert_advisories/CA-96.13.README
		ftp://info.cert.org/pub/cert_advisories/CA-96.13.dip_vul

	This and other Caldera security resources:

		http://www.caldera.com/tech-ref/cnd-1.0/security/