[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

AW: Remote SIGSEGV in l2tpd

To: <l2tpd-devel@l2tpd.org>
Subject: AW: Remote SIGSEGV in l2tpd
From: "Hillmann, Oliver" <Oliver.Hillmann@charite.de>
Date: Mon, 17 Mar 2003 14:58:36 +0100
Reply-to: l2tpd-devel@l2tpd.org
Sender: owner-l2tpd-devel@l2tpd.org
Thread-index: AcLqWzYP9B0typYlRgSuTsyV3S7hjgCMM2Cg
Thread-topic: Remote SIGSEGV in l2tpd



> -----Oroginal Message-----
> From: Renaud Deraison [mailto:deraison@nessus.org]
> Date: Freitag, 14. März 2003 19:39
> To: l2tpd-devel@l2tpd.org
> Subject: Remote SIGSEGV in l2tpd
> 
> [..]
> I found a denial of service on l2tpd 0.69 - if an attacker sends
> data {0xC8,2,0,20,0,0,0,0,0,0,0,0,0,8, 0,0,0,0,0,3} to the LT2PD
> server, l2tpd dies with a segfault. An attacker may use this flaw to
> prevent legitimate users from connecting via L2TPD.
> There's no need for pre-authentication or whatever.
> 
> GDB backtrace shows :
> Program received signal SIGSEGV, Segmentation fault.
> 0x280ed04e in vfprintf () from /usr/lib/libc.so.4
> (gdb) bt
> #0  0x280ed04e in vfprintf () from /usr/lib/libc.so.4
> #1  0x280b5d1e in vsnprintf () from /usr/lib/libc.so.4
> #2  0x804afdd in log (level=6, 
>     fmt=0x80575e0 "%s: Connection established to %s, %d.  Local: %d,
>     Remote: %d.  LNS session is '%s'\n") at misc.c:37
> #3  0x804c4f8 in control_finish (t=0x8065800, c=0x8065c00) at
>     control.c:623
> #4  0x804dcf1 in handle_packet (buf=0x8063000, t=0x8065800, 
> c=0x8065c00)
>         at control.c:1692
> #5  0x80527ce in network_thread () at network.c:405
> #6  0x804af1e in main (argc=3, argv=0xbfbff9e0) at l2tpd.c:1123
> #7  0x804930d in _start ()

Hi!

From a quick view into the code and a test run, I would say this is because the state machine in control_finish() does not check whether t->lns has been set sensibly. From my gdb output it's clear that t->lns is NULL (or otherwise invalid), and thus vfprintf() segfaults because there is no t->lns->entname. I guess in this situation, t->lns should be validated, and the packet discarded if it's not valid. At least, t->lns should be checked to avoid any NULL pointer dereferencing. Right now I am too busy and not deeply enoughh into the code to propose a patch, maybe later, or somebody more jedi-ish about l2tpd and L2TP in general will be faster..? :)

Regards,

Oliver
-- 
Please forgive me using this broken mail client, it's company policy...

Prev by Subject: AWARD WINNING NOTIFICATION
Next by Subject: AW: l2tpd on big endian machines
Previous by thread: AW: l2tpd on big endian machines
Next by thread: ppp radius plugin problem
Index(es):
- Subject
- Thread