[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
AW: Remote SIGSEGV in l2tpd
> -----Oroginal Message-----
> From: Renaud Deraison [mailto:deraison@nessus.org]
> Date: Freitag, 14. März 2003 19:39
> To: l2tpd-devel@l2tpd.org
> Subject: Remote SIGSEGV in l2tpd
>
> [..]
> I found a denial of service on l2tpd 0.69 - if an attacker sends
> data {0xC8,2,0,20,0,0,0,0,0,0,0,0,0,8, 0,0,0,0,0,3} to the LT2PD
> server, l2tpd dies with a segfault. An attacker may use this flaw to
> prevent legitimate users from connecting via L2TPD.
> There's no need for pre-authentication or whatever.
>
> GDB backtrace shows :
> Program received signal SIGSEGV, Segmentation fault.
> 0x280ed04e in vfprintf () from /usr/lib/libc.so.4
> (gdb) bt
> #0 0x280ed04e in vfprintf () from /usr/lib/libc.so.4
> #1 0x280b5d1e in vsnprintf () from /usr/lib/libc.so.4
> #2 0x804afdd in log (level=6,
> fmt=0x80575e0 "%s: Connection established to %s, %d. Local: %d,
> Remote: %d. LNS session is '%s'\n") at misc.c:37
> #3 0x804c4f8 in control_finish (t=0x8065800, c=0x8065c00) at
> control.c:623
> #4 0x804dcf1 in handle_packet (buf=0x8063000, t=0x8065800,
> c=0x8065c00)
> at control.c:1692
> #5 0x80527ce in network_thread () at network.c:405
> #6 0x804af1e in main (argc=3, argv=0xbfbff9e0) at l2tpd.c:1123
> #7 0x804930d in _start ()
Hi!
From a quick view into the code and a test run, I would say this is because the state machine in control_finish() does not check whether t->lns has been set sensibly. From my gdb output it's clear that t->lns is NULL (or otherwise invalid), and thus vfprintf() segfaults because there is no t->lns->entname. I guess in this situation, t->lns should be validated, and the packet discarded if it's not valid. At least, t->lns should be checked to avoid any NULL pointer dereferencing. Right now I am too busy and not deeply enoughh into the code to propose a patch, maybe later, or somebody more jedi-ish about l2tpd and L2TP in general will be faster..? :)
Regards,
Oliver
--
Please forgive me using this broken mail client, it's company policy...