exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

pppdDoS.txt

pppdDoS.txt
Posted Oct 27, 2004
Authored by infamous41md

Improper verification of header fields lets an attacker make the pppd server from ppp-241 access memory it isn't allowed to, resulting in a crash of the server. There is no possibility of code execution, as there is no data being copied, just a pointer dereferenced.

tags | advisory, code execution
SHA-256 | 574ce2da45902592be233f5fc4f8dac25e1f63f317486c8767787082f1cd1486

pppdDoS.txt

Change Mirror Download
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Subject:

pppd remote DOS.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Product Description:

ppp is an implementation of (PPP) Point-to-Point Protocol for Unix systems.

http://www.samba.org/ppp/features.html

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Vulnerable:

ppp-2.4.1 was audited.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Summary:

Improper verification of header fields lets an attacker make the pppd server
access memory it isn't allowed to, and crash the server. There is no
possibility of code execution, as there is no data being copied, just a pointer
dereferenced.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Details:

The actual vulnerable code appears in the file /pppd/cbcp.c, line 334. A brief
walkthrough of how it is reached: Starting in the /pppd directory, in main.c we
have the function get_input(), which is called when there is data ready on the
network. It reads in the packet at line 932, at most 1500 + PPP header sized
bytes into a static packet buffer called inpacket_buf. Depending on the
protocol, a handler is picked out of an array of handlers by matching the
protocol field of the PPP header. We are interested in when the protocol is
CBCP, Callback Control Protocol. A snip from that function is shown here:

/* process an incomming packet */
static void
cbcp_input(unit, inpacket, pktlen)
int unit;
u_char *inpacket;
int pktlen;
{
u_char *inp;
u_char code, id;
u_short len;

cbcp_state *us = &cbcp[unit];

inp = inpacket;

if (pktlen < CBCP_MINLEN) {
error("CBCP packet is too small");
return;
}

GETCHAR(code, inp);
GETCHAR(id, inp);
GETSHORT(len, inp);

#if 0
if (len > pktlen) {
error("CBCP packet: invalid length");
return;
}
#endif

1] len -= CBCP_MINLEN/*4*/; /* HOLE */

switch(code) {
case CBCP_REQ:
us->us_id = id;
2] cbcp_recvreq(us, inp, len);
break;

1)len has not been validated yet, if it is < 4, the subtraction will wrap
around to a large 2 byte unsigned number.
2)this len is passed to the request processsing function, which now thinks
that packet is longer than it really is.

We then move onto the cbcp_recvreq() function to process the request, this
function is in /pppd/cbcp.c

/* received CBCP request */
static void
cbcp_recvreq(us, pckt, pcktlen)
cbcp_state *us;
char *pckt;
int pcktlen;
{
u_char type, opt_len, delay, addr_type;
char address[256];
int len = pcktlen;

address[0] = 0;

1] while (len) {
dbglog("length: %d", len);

GETCHAR(type, pckt);
2] GETCHAR(opt_len, pckt);

if (opt_len > 2)
GETCHAR(delay, pckt);

us->us_allowed |= (1 << type);

switch(type) {
case CB_CONF_NO:
dbglog("no callback allowed");
break;

case CB_CONF_USER:
dbglog("user callback allowed");
if (opt_len > 4) {
GETCHAR(addr_type, pckt);
memcpy(address, pckt, opt_len - 4);
address[opt_len - 4] = 0;
if (address[0])
dbglog("address: %s", address);
}
break;

case CB_CONF_ADMIN:
dbglog("user admin defined allowed");
break;

case CB_CONF_LIST:
break;
}
3] len -= opt_len; /* HOLE */
}

cbcp_resp(us);
}

1)The loop continues processing the packet as long as len is != 0. Each
iteration the packet pointer is moved forward in the GET_ macros.
2)The option length is retrieved from the packet, and is not validated in
any way.
3)The option length is subtracted from the len variable, which controls the
loop. There are a number of ways to exploit this calculation. Actually,
_any_ malformed packet will screw up that loop. It relies on the opt_len
values in the packet all summing to len, if they don't, the loop won't stop,
unless by pure luck of encountering the right value somewhere in the .data
section (the packet buffer is global). Net result, is that eventually in
the GET_ macros, the packet pointer will be advanced to far, and hit
unmapped memory and crash the server.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Exploit:

I don't have a PPP link, so I didn't write a sploit. Some people I've spoken to
have said causing a DOS will be hard to due to slowness of PPP links. I haven't
verified this myself. Regardless, it's a bug that should be fixed.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


--
-sean

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close