From owner-freebsd-bugs  Wed Sep 27  2:20: 9 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id D1BF337B423
	for <freebsd-bugs@FreeBSD.org>; Wed, 27 Sep 2000 02:20:01 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id CAA12005;
	Wed, 27 Sep 2000 02:20:01 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 056B237B422; Wed, 27 Sep 2000 02:16:44 -0700 (PDT)
Message-Id: <20000927091644.056B237B422@hub.freebsd.org>
Date: Wed, 27 Sep 2000 02:16:44 -0700 (PDT)
From: dli@3bc.de
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: kern/21592: insufficient PAP authentication in isp protocol stack
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         21592
>Category:       kern
>Synopsis:       insufficient PAP authentication in isp protocol stack
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 27 02:20:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Dirk Liebke
>Release:        4.0 and stable
>Organization:
3B Communicationssysteme GmbH
>Environment:
>Description:
This flaw leads to a remote access exploit when the offending host 
gets initial access to the synchonoues ppp protocolstack
(possibly through a wildcard ISDN connect) and the channel is configured
to use pap authentication.

The authentication code does a short compare on the configured 
authname/authkey and the remotely supplied authname/authkey. 
In the extrem end you may connect without supplying authname 
and authkey.
>How-To-Repeat:
The effect is easily demonstrated with a remote WinXXX 
system connecting over ISDN.
>Fix:
------------- cut here -------------------------------------------------

*** if_spppsubr.c.orig  Mon Sep 25 15:01:11 2000
--- if_spppsubr.c       Mon Sep 25 15:17:35 2000
***************
*** 3413,3420 ****
                        sppp_print_string((char*)passwd, passwd_len);
                        addlog(">\n");
                }
!               if (name_len > AUTHNAMELEN ||
!                   passwd_len > AUTHKEYLEN ||
                    bcmp(name, sp->hisauth.name, name_len) != 0 ||
                    bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
                        /* action scn, tld */
--- 3413,3420 ----
                        sppp_print_string((char*)passwd, passwd_len);
                        addlog(">\n");
                }
!               if (name_len != sppp_strnlen(sp->hisauth.name,
AUTHNAMELEN) ||
!                   passwd_len != sppp_strnlen(sp->hisauth.secret,
AUTHKEYLEN) ||
                    bcmp(name, sp->hisauth.name, name_len) != 0 ||
                    bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
                        /* action scn, tld */
------------- cut here -------------------------------------------------

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message