CVE-2020-8597 PoC — ppp 缓冲区错误漏洞

Source

https://github.com/dointisme/CVE-2020-8597

Associated Vulnerability

Title:ppp 缓冲区错误漏洞 (CVE-2020-8597)
Description:ppp是Paul PPP Package开源的一个实现点对点协议（ppp）的库。 ppp 2.4.2版本至2.4.8版本中的pppd的‘eap_request’和‘eap_response ’函数存在缓冲区错误漏洞，该漏洞源于程序没有正确检查边界。远程攻击者可借助特制EAP数据包利用该漏洞在系统上执行任意代码，或导致内存损坏。

Description

CVE-2020-8597

Readme

# CVE-2020-8597


eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions. 

If you manage to get "EAP: unauthenticated peer name" long enough, seems like my client limits it to 255, you can do Buffer Overflow.

You still have to beat the Stack Canaries, so crash is the most possible.

```
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable  FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   No Symbols      Yes	12		22	/usr/sbin/pppd
```

Affects ppp and pppoe (PPP over Ethernet)

Source (patch):

https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426

```
*** buffer overflow detected ***: pppd terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fea131337e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fea131d515c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7fea131d3160]
pppd[0x42a858]
pppd(main+0x95f)[0x40981f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fea130dc830]
pppd(_start+0x29)[0x409db9]
======= Memory map: ========
00400000-00448000 r-xp 00000000 fd:01 11540966                           /usr/sbin/pppd
00648000-00649000 r--p 00048000 fd:01 11540966                           /usr/sbin/pppd
00649000-0064f000 rw-p 00049000 fd:01 11540966                           /usr/sbin/pppd
0064f000-0069b000 rw-p 00000000 00:00 0 
01c7b000-01c9c000 rw-p 00000000 00:00 0                                  [heap]
7fea12666000-7fea1267c000 r-xp 00000000 fd:01 13898255                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fea1267c000-7fea1287b000 ---p 00016000 fd:01 13898255                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fea1287b000-7fea1287c000 rw-p 00015000 fd:01 13898255                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7fea1287c000-7fea12887000 r-xp 00000000 fd:01 13908799                   /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12887000-7fea12a86000 ---p 0000b000 fd:01 13908799                   /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12a86000-7fea12a87000 r--p 0000a000 fd:01 13908799                   /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12a87000-7fea12a88000 rw-p 0000b000 fd:01 13908799                   /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12a88000-7fea12a8e000 rw-p 00000000 00:00 0 
7fea12a8e000-7fea12a99000 r-xp 00000000 fd:01 13908792                   /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12a99000-7fea12c98000 ---p 0000b000 fd:01 13908792                   /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12c98000-7fea12c99000 r--p 0000a000 fd:01 13908792                   /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12c99000-7fea12c9a000 rw-p 0000b000 fd:01 13908792                   /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12c9a000-7fea12cb0000 r-xp 00000000 fd:01 13908797                   /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12cb0000-7fea12eaf000 ---p 00016000 fd:01 13908797                   /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12eaf000-7fea12eb0000 r--p 00015000 fd:01 13908797                   /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12eb0000-7fea12eb1000 rw-p 00016000 fd:01 13908797                   /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12eb1000-7fea12eb3000 rw-p 00000000 00:00 0 
7fea12eb3000-7fea12ebb000 r-xp 00000000 fd:01 13908803                   /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea12ebb000-7fea130ba000 ---p 00008000 fd:01 13908803                   /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea130ba000-7fea130bb000 r--p 00007000 fd:01 13908803                   /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea130bb000-7fea130bc000 rw-p 00008000 fd:01 13908803                   /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea130bc000-7fea1327c000 r-xp 00000000 fd:01 13908802                   /lib/x86_64-linux-gnu/libc-2.23.so
7fea1327c000-7fea1347c000 ---p 001c0000 fd:01 13908802                   /lib/x86_64-linux-gnu/libc-2.23.so
7fea1347c000-7fea13480000 r--p 001c0000 fd:01 13908802                   /lib/x86_64-linux-gnu/libc-2.23.so
7fea13480000-7fea13482000 rw-p 001c4000 fd:01 13908802                   /lib/x86_64-linux-gnu/libc-2.23.so
7fea13482000-7fea13486000 rw-p 00000000 00:00 0 
7fea13486000-7fea13489000 r-xp 00000000 fd:01 13908787                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fea13489000-7fea13688000 ---p 00003000 fd:01 13908787                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fea13688000-7fea13689000 r--p 00002000 fd:01 13908787                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fea13689000-7fea1368a000 rw-p 00003000 fd:01 13908787                   /lib/x86_64-linux-gnu/libdl-2.23.so
7fea1368a000-7fea1368c000 r-xp 00000000 fd:01 13908804                   /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1368c000-7fea1388b000 ---p 00002000 fd:01 13908804                   /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1388b000-7fea1388c000 r--p 00001000 fd:01 13908804                   /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1388c000-7fea1388d000 rw-p 00002000 fd:01 13908804                   /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1388d000-7fea13896000 r-xp 00000000 fd:01 13908796                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13896000-7fea13a95000 ---p 00009000 fd:01 13908796                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13a95000-7fea13a96000 r--p 00008000 fd:01 13908796                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13a96000-7fea13a97000 rw-p 00009000 fd:01 13908796                   /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13a97000-7fea13ac5000 rw-p 00000000 00:00 0 
7fea13ac5000-7fea13aeb000 r-xp 00000000 fd:01 13908788                   /lib/x86_64-linux-gnu/ld-2.23.so
7fea13cb5000-7fea13cba000 rw-p 00000000 00:00 0 
7fea13ce5000-7fea13ce6000 rw-p 00000000 00:00 0 
7fea13ce6000-7fea13cea000 rw-s 00000000 00:17 983                        /run/pppd2.tdb
7fea13cea000-7fea13ceb000 r--p 00025000 fd:01 13908788                   /lib/x86_64-linux-gnu/ld-2.23.so
7fea13ceb000-7fea13cec000 rw-p 00026000 fd:01 13908788                   /lib/x86_64-linux-gnu/ld-2.23.so
7fea13cec000-7fea13ced000 rw-p 00000000 00:00 0 
7ffc7c941000-7ffc7c962000 rw-p 00000000 00:00 0                          [stack]
7ffc7c9b3000-7ffc7c9b6000 r--p 00000000 00:00 0                          [vvar]
7ffc7c9b6000-7ffc7c9b8000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
```

File Snapshot


 [4.0K]  /data/pocs/677a11b03831dac60d3a4390d5d4f2243fcae15c
└── [6.4K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!