From nobody@FreeBSD.ORG  Wed Sep 27 02:16:44 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 056B237B422; Wed, 27 Sep 2000 02:16:44 -0700 (PDT)
Message-Id: <20000927091644.056B237B422@hub.freebsd.org>
Date: Wed, 27 Sep 2000 02:16:44 -0700 (PDT)
From: dli@3bc.de
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: insufficient PAP authentication in isp protocol stack
X-Send-Pr-Version: www-1.0

>Number:         21592
>Category:       kern
>Synopsis:       insufficient PAP authentication in isp protocol stack
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 27 02:20:01 PDT 2000
>Closed-Date:    Sun Mar 25 11:53:15 MEST 2001
>Last-Modified:  Sun Mar 25 11:54:39 MEST 2001
>Originator:     Dirk Liebke
>Release:        4.0 and stable
>Organization:
3B Communicationssysteme GmbH
>Environment:
>Description:
This flaw leads to a remote access exploit when the offending host 
gets initial access to the synchonoues ppp protocolstack
(possibly through a wildcard ISDN connect) and the channel is configured
to use pap authentication.

The authentication code does a short compare on the configured 
authname/authkey and the remotely supplied authname/authkey. 
In the extrem end you may connect without supplying authname 
and authkey.
>How-To-Repeat:
The effect is easily demonstrated with a remote WinXXX 
system connecting over ISDN.
>Fix:
------------- cut here -------------------------------------------------

*** if_spppsubr.c.orig  Mon Sep 25 15:01:11 2000
--- if_spppsubr.c       Mon Sep 25 15:17:35 2000
***************
*** 3413,3420 ****
                        sppp_print_string((char*)passwd, passwd_len);
                        addlog(">\n");
                }
!               if (name_len > AUTHNAMELEN ||
!                   passwd_len > AUTHKEYLEN ||
                    bcmp(name, sp->hisauth.name, name_len) != 0 ||
                    bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
                        /* action scn, tld */
--- 3413,3420 ----
                        sppp_print_string((char*)passwd, passwd_len);
                        addlog(">\n");
                }
!               if (name_len != sppp_strnlen(sp->hisauth.name,
AUTHNAMELEN) ||
!                   passwd_len != sppp_strnlen(sp->hisauth.secret,
AUTHKEYLEN) ||
                    bcmp(name, sp->hisauth.name, name_len) != 0 ||
                    bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
                        /* action scn, tld */
------------- cut here -------------------------------------------------

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: joerg 
State-Changed-When: Sun Mar 25 11:53:15 MEST 2001 
State-Changed-Why:  
Fixed in rev 1.66 of if_spppsubr.c, thanks! 

(p.s.: Please don't cut&paste context diffs into an email, this 
makes them virtually useless by removing the TABs.) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21592 
>Unformatted:
