In pppd package () that allows you to execute your code by sending specially crafted authentication requests to systems using the PPP (Point-to-Point Protocol) or PPPoE (PPP over Ethernet) protocol. These protocols are commonly used by ISPs to establish connections over Ethernet or DSL, and are also used in some VPNs (for example, pptpd and ). To test the susceptibility of their systems to the problem exploit prototype.
The vulnerability is caused by a buffer overflow in the implementation of the EAP (Extensible Authentication Protocol) authentication protocol. An attack can be carried out at the pre-authentication stage by sending a packet with the EAPT_MD5CHAP type, which includes a very long hostname that does not fit in the allocated buffer. Due to a bug in the code for checking the size of the rhostname field, an attacker can overwrite data outside the buffer on the stack and achieve remote execution of his code as root. The vulnerability manifests itself on the server and client side, i.e. not only the server can be attacked, but also a client trying to connect to a server controlled by the attacker (for example, an attacker can first hack the server through a vulnerability, and then start hitting connecting clients).
The problem affects versions from 2.4.2 to 2.4.8 inclusive and eliminated in the form . Vulnerability also stack , but the default configuration in lwIP does not include EAP support.
The status of fixing the problem in distributions can be viewed on these pages: , , , , , , , . On RHEL, OpenWRT, and SUSE, pppd is compiled with "Stack Smashing Protection" enabled ("-fstack-protector" mode in gcc), which limits exploitation to crashes. In addition to distributions, the vulnerability is also confirmed in some products. (call manager), and Synology (DiskStation Manager, VisualStation VS960HD and Router Manager) using pppd or lwIP code.
Source: opennet.ru