Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1211293 - (CVE-2015-3310) CVE-2015-3310 ppp: buffer overflow in radius plug-in's rc_mksid()
CVE-2015-3310 ppp: buffer overflow in radius plug-in's rc_mksid()
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150413,repor...
: Security
Depends On: 1211294
Blocks: 1211295
  Show dependency treegraph
 
Reported: 2015-04-13 10:07 EDT by Martin Prpič
Modified: 2017-06-22 17:48 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-09 16:27:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-04-13 10:07:00 EDT
A buffer overflow flaw was found in the way PPP's RADIUS plug-in processed a "start" accounting message if the PID of the pppd process is greater than 65535. A remote attacker could use this flaw to crash pppd.

CVE request with additional impact details:

http://seclists.org/oss-sec/2015/q2/119

Original report (including a proposed patch):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782450
Comment 1 Martin Prpič 2015-04-13 10:07:44 EDT
Created ppp tracking bugs for this issue:

Affects: fedora-all [bug 1211294]
Comment 2 Siddharth Sharma 2015-10-09 16:25:53 EDT
Analysis

ppp package contains the ppp ( Point-to-Point Protocol) daemon, which provides method of tranmitting datagrams over serial point-to-point links. RADIUS plugin enabled pppd to do PAP,CHAP, MS-CHAP , MS-CHAPv2 etc authentication against RADIUS server. rc_mksid() function is used to generate pseudo-unique string. rc_mksid() function is implemented in pppd/plugins/radius/util.c, following is the problematic function

/* Purpose : generate a quite unique string */

char * rc_mksid (void) {

        static char buf[15];
        static unsigned short int cnt = 0;

In the sprintf function , getpid() is used to get the pid of the pppd, which the rc_mksid function converts to hex to generate pseudo unique string. It expects hex representation to 4 chars long only so if pid is 65535 then hex representation would be 0xFFFF , where as even if pid value increases by 1 , that is 65536 hex representation would become 0x10000, which would lead to buffer overflow. 
 
        sprintf (buf, "%08lX%04X%02hX",
                 (unsigned long int) time (NULL),
                 (unsigned int) getpid(),
                  cnt & 0xFF);
        cnt++;

}

*** buffer overflow detected ***: ./pppd_demo terminated
======= Backtrace: =========
/lib64/libc.so.6[0x3977c77e15]
/lib64/libc.so.6(__fortify_fail+0x37)[0x3977d14747]
/lib64/libc.so.6[0x3977d128d0]
/lib64/libc.so.6[0x3977d11e39]
/lib64/libc.so.6(_IO_default_xsputn+0x80)[0x3977c7bc10]
/lib64/libc.so.6(_IO_vfprintf+0x1a9c)[0x3977c4d3ac]
/lib64/libc.so.6(__vsprintf_chk+0x8c)[0x3977d11ecc]
/lib64/libc.so.6(__sprintf_chk+0x7d)[0x3977d11e1d]
./pppd_demo[0x4006db]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x3977c20580]
./pppd_demo[0x4005b9]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fd:05 7733470                            <REDACTED>/SEC/secure-code/pppd_demo
00600000-00601000 r--p 00000000 fd:05 7733470                            <REDACTED>/SEC/secure-code/pppd_demo
00601000-00602000 rw-p 00001000 fd:05 7733470                            <REDACTED>/SEC/secure-code/pppd_demo
00dd3000-00df4000 rw-p 00000000 00:00 0                                  [heap]
336b000000-336b016000 r-xp 00000000 fd:02 2099497                        /usr/lib64/libgcc_s-5.1.1-20150618.so.1
336b016000-336b215000 ---p 00016000 fd:02 2099497                        /usr/lib64/libgcc_s-5.1.1-20150618.so.1
336b215000-336b216000 r--p 00015000 fd:02 2099497                        /usr/lib64/libgcc_s-5.1.1-20150618.so.1
336b216000-336b217000 rw-p 00016000 fd:02 2099497                        /usr/lib64/libgcc_s-5.1.1-20150618.so.1
3977800000-3977821000 r-xp 00000000 fd:02 2096962                        /usr/lib64/ld-2.22.so
3977a20000-3977a21000 r--p 00020000 fd:02 2096962                        /usr/lib64/ld-2.22.so
3977a21000-3977a22000 rw-p 00021000 fd:02 2096962                        /usr/lib64/ld-2.22.so
3977a22000-3977a23000 rw-p 00000000 00:00 0 
3977c00000-3977db7000 r-xp 00000000 fd:02 2096964                        /usr/lib64/libc-2.22.so
3977db7000-3977fb7000 ---p 001b7000 fd:02 2096964                        /usr/lib64/libc-2.22.so
3977fb7000-3977fbb000 r--p 001b7000 fd:02 2096964                        /usr/lib64/libc-2.22.so
3977fbb000-3977fbd000 rw-p 001bb000 fd:02 2096964                        /usr/lib64/libc-2.22.so
3977fbd000-3977fc1000 rw-p 00000000 00:00 0 
7ff9df9bb000-7ff9df9be000 rw-p 00000000 00:00 0 
7ff9df9df000-7ff9df9e1000 rw-p 00000000 00:00 0 
7fff32cf9000-7fff32d1b000 rw-p 00000000 00:00 0                          [stack]
7fff32dcc000-7fff32dce000 r--p 00000000 00:00 0                          [vvar]
7fff32dce000-7fff32dd0000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

As the crash happens in sprintf, If compiled with -D_FORTIFY_SOURCE , __sprintf_chk() would be used which would detect the crash, otherwise it would go undetected. This attack vector can be used by attacker to cause remote DOS to devices using this, though there is not evidence of this being exploited in wild.
Comment 4 Charlie Brady 2017-06-21 16:08:45 EDT
"This attack vector can be used by attacker to cause remote DOS..." - so why not fix this bug?

The Debian patch is very straightforward:

--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
+++ ppp-2.4.6/pppd/plugins/radius/util.c
@@ -77,7 +77,7 @@ rc_mksid (void)
   static unsigned short int cnt = 0;
   sprintf (buf, "%08lX%04X%02hX",
 	   (unsigned long int) time (NULL),
-	   (unsigned int) getpid (),
+	   (unsigned int) getpid () % 65535,
 	   cnt & 0xFF);
   cnt++;
   return buf;

BTW, IIUC there doesn't need to be an attacker. This bug will simply cause pppd to sometimes crash. Again, why not fix it?
Comment 5 Charlie Brady 2017-06-21 16:09:59 EDT
BTW, IIUC, this bug affects RHEL7.
Comment 6 Yogita 2017-06-22 02:59:48 EDT
Hello,

Can we have justification for why bug is not fixed as mentioned by Charlie. 
Any workaround suggestion are also much appreciated.
Comment 7 Tomas Hoger 2017-06-22 17:48:25 EDT
(In reply to Charlie Brady from comment #4)
> BTW, IIUC there doesn't need to be an attacker. This bug will simply cause
> pppd to sometimes crash.

That's fairly accurate statement - it's not much of a security issue, but more of a bug.  If ppp runs with pid higher than 65535, it crashes when reaching this code, regardless of whether it's communicating with malicious or non-malicious user.  On many systems, this problem can not be triggered at all, as pid_max is below 65536.  The following solution article explains how pid_max is determined (note that it discusses Red Hat Enterprise Linux 5 and 6 currently):

https://access.redhat.com/solutions/28908

This problem can only be triggered on systems with more than 64 CPUs by default.  Reducing pid_max should be a workaround for those systems if they do not need to run more than 65535 process at the same time.

Given all the above, this was not classified to have sufficient security impact to trigger a security update.  If you're hitting it as a regular bug in your usage, please open a support case and work with out support to open a bug report against the product version you're interested in and have the bug properly prioritized.

Note You need to log in before you can comment on or make changes to this bug.