[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Remote SIGSEGV in l2tpd
Hi,
I found a denial of service on l2tpd 0.69 - if an attacker sends
data {0xC8,2,0,20,0,0,0,0,0,0,0,0,0,8, 0,0,0,0,0,3} to the LT2PD
server, l2tpd dies with a segfault. An attacker may use this flaw to
prevent legitimate users from connecting via L2TPD.
There's no need for pre-authentication or whatever.
GDB backtrace shows :
Program received signal SIGSEGV, Segmentation fault.
0x280ed04e in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0 0x280ed04e in vfprintf () from /usr/lib/libc.so.4
#1 0x280b5d1e in vsnprintf () from /usr/lib/libc.so.4
#2 0x804afdd in log (level=6,
fmt=0x80575e0 "%s: Connection established to %s, %d. Local: %d,
Remote: %d. LNS session is '%s'\n") at misc.c:37
#3 0x804c4f8 in control_finish (t=0x8065800, c=0x8065c00) at
control.c:623
#4 0x804dcf1 in handle_packet (buf=0x8063000, t=0x8065800, c=0x8065c00)
at control.c:1692
#5 0x80527ce in network_thread () at network.c:405
#6 0x804af1e in main (argc=3, argv=0xbfbff9e0) at l2tpd.c:1123
#7 0x804930d in _start ()
-- Renaud
--
Renaud Deraison
The Nessus Project
http://www.nessus.org