Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 Sep 2000 02:16:44 -0700 (PDT)
From:      dli@3bc.de
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/21592: insufficient PAP authentication in isp protocol stack
Message-ID:  <20000927091644.056B237B422@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         21592
>Category:       kern
>Synopsis:       insufficient PAP authentication in isp protocol stack
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 27 02:20:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Dirk Liebke
>Release:        4.0 and stable
>Organization:
3B Communicationssysteme GmbH
>Environment:
>Description:
This flaw leads to a remote access exploit when the offending host 
gets initial access to the synchonoues ppp protocolstack
(possibly through a wildcard ISDN connect) and the channel is configured
to use pap authentication.

The authentication code does a short compare on the configured 
authname/authkey and the remotely supplied authname/authkey. 
In the extrem end you may connect without supplying authname 
and authkey.
>How-To-Repeat:
The effect is easily demonstrated with a remote WinXXX 
system connecting over ISDN.
>Fix:
------------- cut here -------------------------------------------------

*** if_spppsubr.c.orig  Mon Sep 25 15:01:11 2000
--- if_spppsubr.c       Mon Sep 25 15:17:35 2000
***************
*** 3413,3420 ****
                        sppp_print_string((char*)passwd, passwd_len);
                        addlog(">\n");
                }
!               if (name_len > AUTHNAMELEN ||
!                   passwd_len > AUTHKEYLEN ||
                    bcmp(name, sp->hisauth.name, name_len) != 0 ||
                    bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
                        /* action scn, tld */
--- 3413,3420 ----
                        sppp_print_string((char*)passwd, passwd_len);
                        addlog(">\n");
                }
!               if (name_len != sppp_strnlen(sp->hisauth.name,
AUTHNAMELEN) ||
!                   passwd_len != sppp_strnlen(sp->hisauth.secret,
AUTHKEYLEN) ||
                    bcmp(name, sp->hisauth.name, name_len) != 0 ||
                    bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
                        /* action scn, tld */
------------- cut here -------------------------------------------------

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000927091644.056B237B422>