Gentoo: pptpd Remote buffer overflow


- - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200304-08
- - ---------------------------------------------------------------------

          PACKAGE : pptpd
          SUMMARY : buffer overflow
             DATE : 2003-04-28 09:22 UTC
          EXPLOIT : remote
VERSIONS AFFECTED : =pptpd-1.1.3.20030429
              CVE : CAN-2003-0213

- - ---------------------------------------------------------------------

- From advisory:

"PPTP packet header contain 16bit length which specifies the full size of
the packet:

        bytes_this = read(clientFd, packet + bytes_ttl, 2 - bytes_ttl);
        // ...
        bytes_ttl += bytes_this;
        // ...
        length = htons(*(u_int16_t *) packet);
        if (length > PPTP_MAX_CTRL_PCKT_SIZE) {
          // abort
        }

Looks good so far, except:

        bytes_this = read(clientFd, packet + bytes_ttl, length - bytes_ttl);

If given length was 0 or 1, the "length - bytes_ttl" result is -1 or -2,
which means that it reads unlimited amount of data from client into
"packet", which is a buffer located in stack.

The exploitability only depends on if libc allows the size parameter to be
larger than SSIZE_MAX bytes. GLIBC does, Solaris and *BSD don't."

Read the full advisory at: 
https://marc.theaimsgroup.com/?l=bugtraq&m=104994375011406&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-dialup/pptpd upgrade to pptpd-1.1.3.20030409 as follows:

emerge sync
emerge pptpd
emerge clean

- - --------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200304-08 - - ---------------------------------------------------------------------
- - ---------------------------------------------------------------------
- From advisory:
"PPTP packet header contain 16bit length which specifies the full size of the packet:
bytes_this = read(clientFd, packet + bytes_ttl, 2 - bytes_ttl); // ... bytes_ttl += bytes_this; // ... length = htons(*(u_int16_t *) packet); if (length > PPTP_MAX_CTRL_PCKT_SIZE) { // abort }
Looks good so far, except:
bytes_this = read(clientFd, packet + bytes_ttl, length - bytes_ttl);
If given length was 0 or 1, the "length - bytes_ttl" result is -1 or -2, which means that it reads unlimited amount of data from client into "packet", which is a buffer located in stack.
The exploitability only depends on if libc allows the size parameter to be larger than SSIZE_MAX bytes. GLIBC does, Solaris and *BSD don't."
Read the full advisory at: https://marc.theaimsgroup.com/?l=bugtraq&m=104994375011406&w=2
SOLUTION
It is recommended that all Gentoo Linux users who are running net-dialup/pptpd upgrade to pptpd-1.1.3.20030409 as follows:
emerge sync emerge pptpd emerge clean

What Are You Looking For?

Gentoo: pptpd Remote buffer overflow

Summary

Resolution

References

Availability

Concerns

Synopsis

Background

Affected Packages

Impact

Workaround

Linux version of Qilin ransomware focuses on VMware ESXi

Tails 5.20 Brings Latest Tor Browser, Ditches AdGuard Filter List

CISA Orders Federal Agencies to Patch Looney Tunables Linux Bug

How Meta Patches Linux at Hyperscale

News

Advisories

HOWTOs

Features

Using Open Source to Ensure Compliance & Data Integrity through Data Governance

Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!

Unlocking the Future of Authentication: Passkeys vs. Passwords

Empowering MSPs with Straightforward Linux Device Management

A Complete Guide to Torrenting Safely in 2024

About Us

Powered By

What Are You Looking For?

Gentoo: pptpd Remote buffer overflow

Summary

Resolution

References

Availability

Concerns

Synopsis

Get the Latest News & Insights

Background

Affected Packages

Impact

Workaround

Related News

News

Advisories

HOWTOs

Features

About Us

Powered By