From nobody@FreeBSD.ORG Wed Sep 27 02:16:44 2000 Return-Path: Received: by hub.freebsd.org (Postfix, from userid 32767) id 056B237B422; Wed, 27 Sep 2000 02:16:44 -0700 (PDT) Message-Id: <20000927091644.056B237B422@hub.freebsd.org> Date: Wed, 27 Sep 2000 02:16:44 -0700 (PDT) From: dli@3bc.de Sender: nobody@FreeBSD.ORG To: freebsd-gnats-submit@FreeBSD.org Subject: insufficient PAP authentication in isp protocol stack X-Send-Pr-Version: www-1.0 >Number: 21592 >Category: kern >Synopsis: insufficient PAP authentication in isp protocol stack >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Sep 27 02:20:01 PDT 2000 >Closed-Date: Sun Mar 25 11:53:15 MEST 2001 >Last-Modified: Sun Mar 25 11:54:39 MEST 2001 >Originator: Dirk Liebke >Release: 4.0 and stable >Organization: 3B Communicationssysteme GmbH >Environment: >Description: This flaw leads to a remote access exploit when the offending host gets initial access to the synchonoues ppp protocolstack (possibly through a wildcard ISDN connect) and the channel is configured to use pap authentication. The authentication code does a short compare on the configured authname/authkey and the remotely supplied authname/authkey. In the extrem end you may connect without supplying authname and authkey. >How-To-Repeat: The effect is easily demonstrated with a remote WinXXX system connecting over ISDN. >Fix: ------------- cut here ------------------------------------------------- *** if_spppsubr.c.orig Mon Sep 25 15:01:11 2000 --- if_spppsubr.c Mon Sep 25 15:17:35 2000 *************** *** 3413,3420 **** sppp_print_string((char*)passwd, passwd_len); addlog(">\n"); } ! if (name_len > AUTHNAMELEN || ! passwd_len > AUTHKEYLEN || bcmp(name, sp->hisauth.name, name_len) != 0 || bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { /* action scn, tld */ --- 3413,3420 ---- sppp_print_string((char*)passwd, passwd_len); addlog(">\n"); } ! if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) || ! passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) || bcmp(name, sp->hisauth.name, name_len) != 0 || bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { /* action scn, tld */ ------------- cut here ------------------------------------------------- >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: joerg State-Changed-When: Sun Mar 25 11:53:15 MEST 2001 State-Changed-Why: Fixed in rev 1.66 of if_spppsubr.c, thanks! (p.s.: Please don't cut&paste context diffs into an email, this makes them virtually useless by removing the TABs.) http://www.freebsd.org/cgi/query-pr.cgi?pr=21592 >Unformatted: