Roaring Penguin PPPoE Denial of Service Vulnerability
BID:2098
Info
Roaring Penguin PPPoE Denial of Service Vulnerability
| Bugtraq ID: | 2098 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 11 2000 12:00AM |
| Updated: | Dec 11 2000 12:00AM |
| Credit: | Discovered by Robert Schlabbach. Posted to Bugtraq with fix information by David F. Skoll <[email protected]> on Dec 11, 2000. |
| Vulnerable: |
Roaring Penguin Software PPPoE 2.4 Roaring Penguin Software PPPoE 2.3 Roaring Penguin Software PPPoE 2.2 Roaring Penguin Software PPPoE 2.1 Roaring Penguin Software PPPoE 2.0 Redhat Linux 7.0 |
| Not Vulnerable: |
Roaring Penguin Software PPPoE 2.5.1 Roaring Penguin Software PPPoE 2.5 |
Discussion
Roaring Penguin PPPoE Denial of Service Vulnerability
Roaring Penguin Software's PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD.
PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a "zero-length option", PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality.
This bug has been fixed by Roaring Penguin Software in a new version, see the solutions section.
Roaring Penguin Software's PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD.
PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a "zero-length option", PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality.
This bug has been fixed by Roaring Penguin Software in a new version, see the solutions section.
Exploit / POC
Roaring Penguin PPPoE Denial of Service Vulnerability
The following exploit is available:
The following exploit is available:
Solution / Fix
Roaring Penguin PPPoE Denial of Service Vulnerability
Solution:
Upgrade to version 2.5 or higher.
Conectiva has released updates to correct the vulnerability in the version of rp-pppoe shipped with their systems.
Redhat has released an advisory (RHSA-2000:130-05) and fixes to address this vulnerability. Please see the referenced advisory for further information.
Roaring Penguin Software PPPoE 2.0
Roaring Penguin Software PPPoE 2.1
Roaring Penguin Software PPPoE 2.2
Roaring Penguin Software PPPoE 2.3
Roaring Penguin Software PPPoE 2.4
Solution:
Upgrade to version 2.5 or higher.
Conectiva has released updates to correct the vulnerability in the version of rp-pppoe shipped with their systems.
Redhat has released an advisory (RHSA-2000:130-05) and fixes to address this vulnerability. Please see the referenced advisory for further information.
Roaring Penguin Software PPPoE 2.0
-
Roaring Penguin Software rp-pppoe-2.5
http://www.roaringpenguin.com/pppoe/rp-pppoe-2.5.tar.gz
Roaring Penguin Software PPPoE 2.1
-
Roaring Penguin Software rp-pppoe-2.5
http://www.roaringpenguin.com/pppoe/rp-pppoe-2.5.tar.gz
Roaring Penguin Software PPPoE 2.2
-
Roaring Penguin Software rp-pppoe-2.5
http://www.roaringpenguin.com/pppoe/rp-pppoe-2.5.tar.gz
Roaring Penguin Software PPPoE 2.3
-
Roaring Penguin Software rp-pppoe-2.5
http://www.roaringpenguin.com/pppoe/rp-pppoe-2.5.tar.gz
Roaring Penguin Software PPPoE 2.4
-
Conectiva 6.0 i386 rp-pppoe-2.5-1cl
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rp-pppoe-2.5-1cl.i386.rpm -
MandrakeSoft 7.1 i386 rp-pppoe-2.5-2.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.1/RPMS/rp-pppoe -2.5-2.1mdk.i586.rpm -
MandrakeSoft 7.2 i386 rp-pppoe-2.5-2.2mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.2/RPMS/rp-pppoe -2.5-2.2mdk.i586.rpm -
Roaring Penguin Software rp-pppoe-2.5
http://www.roaringpenguin.com/pppoe/rp-pppoe-2.5.tar.gz
References
Roaring Penguin PPPoE Denial of Service Vulnerability
References:
References:
- PPPoE Homepage (Roaring Penguin Software)
- RHSA-2000-130 - Updated rp-pppoe packages (Red Hat)