+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Subject: pppd remote DOS. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Product Description: ppp is an implementation of (PPP) Point-to-Point Protocol for Unix systems. http://www.samba.org/ppp/features.html +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Vulnerable: ppp-2.4.1 was audited. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Summary: Improper verification of header fields lets an attacker make the pppd server access memory it isn't allowed to, and crash the server. There is no possibility of code execution, as there is no data being copied, just a pointer dereferenced. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Details: The actual vulnerable code appears in the file /pppd/cbcp.c, line 334. A brief walkthrough of how it is reached: Starting in the /pppd directory, in main.c we have the function get_input(), which is called when there is data ready on the network. It reads in the packet at line 932, at most 1500 + PPP header sized bytes into a static packet buffer called inpacket_buf. Depending on the protocol, a handler is picked out of an array of handlers by matching the protocol field of the PPP header. We are interested in when the protocol is CBCP, Callback Control Protocol. A snip from that function is shown here: /* process an incomming packet */ static void cbcp_input(unit, inpacket, pktlen) int unit; u_char *inpacket; int pktlen; { u_char *inp; u_char code, id; u_short len; cbcp_state *us = &cbcp[unit]; inp = inpacket; if (pktlen < CBCP_MINLEN) { error("CBCP packet is too small"); return; } GETCHAR(code, inp); GETCHAR(id, inp); GETSHORT(len, inp); #if 0 if (len > pktlen) { error("CBCP packet: invalid length"); return; } #endif 1] len -= CBCP_MINLEN/*4*/; /* HOLE */ switch(code) { case CBCP_REQ: us->us_id = id; 2] cbcp_recvreq(us, inp, len); break; 1)len has not been validated yet, if it is < 4, the subtraction will wrap around to a large 2 byte unsigned number. 2)this len is passed to the request processsing function, which now thinks that packet is longer than it really is. We then move onto the cbcp_recvreq() function to process the request, this function is in /pppd/cbcp.c /* received CBCP request */ static void cbcp_recvreq(us, pckt, pcktlen) cbcp_state *us; char *pckt; int pcktlen; { u_char type, opt_len, delay, addr_type; char address[256]; int len = pcktlen; address[0] = 0; 1] while (len) { dbglog("length: %d", len); GETCHAR(type, pckt); 2] GETCHAR(opt_len, pckt); if (opt_len > 2) GETCHAR(delay, pckt); us->us_allowed |= (1 << type); switch(type) { case CB_CONF_NO: dbglog("no callback allowed"); break; case CB_CONF_USER: dbglog("user callback allowed"); if (opt_len > 4) { GETCHAR(addr_type, pckt); memcpy(address, pckt, opt_len - 4); address[opt_len - 4] = 0; if (address[0]) dbglog("address: %s", address); } break; case CB_CONF_ADMIN: dbglog("user admin defined allowed"); break; case CB_CONF_LIST: break; } 3] len -= opt_len; /* HOLE */ } cbcp_resp(us); } 1)The loop continues processing the packet as long as len is != 0. Each iteration the packet pointer is moved forward in the GET_ macros. 2)The option length is retrieved from the packet, and is not validated in any way. 3)The option length is subtracted from the len variable, which controls the loop. There are a number of ways to exploit this calculation. Actually, _any_ malformed packet will screw up that loop. It relies on the opt_len values in the packet all summing to len, if they don't, the loop won't stop, unless by pure luck of encountering the right value somewhere in the .data section (the packet buffer is global). Net result, is that eventually in the GET_ macros, the packet pointer will be advanced to far, and hit unmapped memory and crash the server. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Exploit: I don't have a PPP link, so I didn't write a sploit. Some people I've spoken to have said causing a DOS will be hard to due to slowness of PPP links. I haven't verified this myself. Regardless, it's a bug that should be fixed. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -- -sean