[UNIX] PPPd DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

PPPd DoS
------------------------------------------------------------------------

SUMMARY

<http://www.samba.org/ppp/features.html> ppp is "an implementation of
(PPP) Point-to-Point Protocol for Unix systems".

Improper verification of header fields allows an attacker cause the pppd
server access memory it isn't allowed to, which in turn causes the server
to crash. There is no possibility of code execution, as there is no data
being copied, just a pointer dereferenced.

DETAILS

Vulnerable Systems:
* ppp Version 2.4.1

The actual vulnerable code appears in the file /pppd/cbcp.c, line 334. A
brief walk through of how it is reached: Starting in the /pppd directory,
in main.c we have the function get_input(), which is called when there is
data ready on the network. It reads in the packet at line 932, at most
1500 + PPP header sized bytes into a static packet buffer called
inpacket_buf.

Depending on the protocol, a handler is picked out of an array of handlers
by matching the protocol field of the PPP header. We are interested in
when the protocol is CBCP, Callback Control Protocol. A snip from that
function is shown here:

/* process an incomming packet */
static void
cbcp_input(unit, inpacket, pktlen)
int unit;
u_char *inpacket;
int pktlen;
{
u_char *inp;
u_char code, id;
u_short len;

cbcp_state *us = &cbcp[unit];

inp = inpacket;

if (pktlen < CBCP_MINLEN) {
error("CBCP packet is too small");
return;
}

GETCHAR(code, inp);
GETCHAR(id, inp);
GETSHORT(len, inp);

#if 0
if (len > pktlen) {
error("CBCP packet: invalid length");
return;
}