Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 657656 (CVE-2018-11574)

Summary: <net-dialup/ppp-2.4.7-r6: Buffer Overflow in pppd EAP-TLS implementation (CVE-2018-11574)
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: polynomial-c
Priority: Normal Flags: bman: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2018/06/11/1
Whiteboard: C3 [noglsa cve]
Package list:
=net-dialup/ppp-2.4.7-r6
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev Security 2018-06-09 15:48:58 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-06-11 21:08:26 UTC
- Software: pppd, in particular the EAP-TLS patch[1]

- Summary: Several buffer overflows can be trigger even when pppd is not
configured to take EAP-TLS (but the binary was patched with the
extension).

- CVE: CVE-2018-11574

- Credit:
Ivan Gotovchits <ivg@...e.org>, from Carnegie Mellon University Binary
Analysis Team

- Background:
We, the Debian security team, received the report and contacted the
package maintainer and upstream. Upstream and submitter work together to
agree a patch.

- Patch:
attached.

- Relevant parts of the original report:


We would like to report a security vulnerability that we have discovered
in the EAP-TLS patch for pppd [1]. Improper input validation together
with an integer overflow may cause a crash on both sides and, unlikely,
may lead to the information disclosure or authentication bypass.

Detailed Description
===============

Context
-----------

The `eaptls_receive` function (eap-tls.c) is used to process data passed
via the ppp channel. It is used on both peer and authenticator sides and
is tasked to process and accumulate fragmented messages and pass them to
the SSL backend for the authentication. The message format is described
in RFC 5216. The `eaptls_receive` function is called by `eap_response`
(eap.c) and `eap_request` (eap.c), which implement the `input` method
of the EAP protocol, that is invoked in the `get_input` (main.c)
procedure, when the EAP protocol is enabled.

Problem Description
---------------------------

The EAP TLS protocol uses packages with variable lengths and passing a
short package message will result in the out-of-bounds read (CWE-125)
and calling `memcpy` with a negative length parameter will lead to the
buffer overread (CWE-126), as well as the buffer overflow (CWE-122).
Details, follow.

The `eaptls_receive` function is called with three parameters, the
session pointer `ets`, the pointer `inp` to the buffer that contains
data received by the ppp channel, and the length `len` of this buffer.
The `len` parameter is a signed `int`.

Under all paths that reach this point, the constraint on the `len`
parameter is `len >= 0`, i.e., all checks before the invocation only
verify that the message is long enough to be dispatched. Every check
advances the pointer and decrements the length. For example,

     - main.c:1048-1058 // ensures that len was at least 4
     - eap.c:2077-2083  // ensures that len was at least 1

There are no checks of the `len` parameter in the `eaptls_receive`
function at all. The very first operation (eap-tls.c:804) in the
function is to read the flags field, that is not guaranteed to be
present, as `len` could be `0` here.  There are few more unbounded reads
at `eap-tls.c:812` and `eap-tls.c:838`. Each read is accompanied with
the corresponding decrementation of the length parameter. Thus, in case
of a short package, the length could have a negative value (anything
between -1 and -5). The check `!(len + ets->datalen > etc->tlslen)` is
passed easily since `len` is negative, thus the `memcpy` call
(obfuscated with the BCOPY macro) will receive the negative `len`
parameter, that will most likely result in the segmentation fault and a
crash of the server or client.


More Advanced Scenarios
-----------------------------------

We're hypothesizing, that instead of crashing the daemon it is
theoretically possible to overwrite server memory structures, during the
buffer-overflow in `memcpy` in such way that it will change the state of
authentication FSM to a more advanced state (e.g., to the authenticated
state). To achieve this, an adversary may rely on the Session Resumption
mechanism (RFC 5216, section 2.1.2), create the first session and put it
on hold, then create several other sessions and fill in the memory of
the server until the brk raises till the 4Gb bar (the `len` parameter is
32 bit in x86 and x86-64), then the first session could be resumed, and
the `memcpy` won't cause the segmentation fault, but overwrite internal
structures of the server.

We did not investigate this scenario any further.


Further Details
--------------------

The vulnerability was detected using the Memcheck verification tool of
the Primus Microexecution Framework (a part of the CMU Binary Analysis
Framework [2]). We ran it on a vanilla `pppd` binary as shipped in
Ubuntu Xenial. All source code references are made on the patched source
obtained with `apt-source`. Primus runs a program in the emulated
environment. A reduced trace showing the problem is attached (in IDA Pro
format and in plain-text)
Comment 2 Larry the Git Cow gentoo-dev 2018-06-11 21:18:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1fcf255e57f136a173040ef65caa2bdc4f12ef4d

commit 1fcf255e57f136a173040ef65caa2bdc4f12ef4d
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2018-06-11 21:16:58 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2018-06-11 21:18:02 +0000

    net-dialup/ppp: Security revbump fixing pppd EAP-TLS buffer overflow
    
    (CVE-2018-11574)
    
    Bug: https://bugs.gentoo.org/657656
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 net-dialup/ppp/Manifest            |   1 +
 net-dialup/ppp/ppp-2.4.7-r6.ebuild | 222 +++++++++++++++++++++++++++++++++++++
 2 files changed, 223 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2018-06-12 08:44:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb894356b93deb5642a4edbd8bce1cb59dbd1049

commit cb894356b93deb5642a4edbd8bce1cb59dbd1049
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-12 08:43:32 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-12 08:43:32 +0000

    net-dialup/ppp: stable 2.4.7-r6 for ia64, bug #657656
    
    Bug: https://bugs.gentoo.org/657656
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 net-dialup/ppp/ppp-2.4.7-r6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-06-12 11:38:26 UTC
x86 stable
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-06-12 15:56:43 UTC
amd64 stable
Comment 6 Larry the Git Cow gentoo-dev 2018-06-12 20:48:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=600924174fd81de3783e7f1d95c8cdba49df0366

commit 600924174fd81de3783e7f1d95c8cdba49df0366
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-06-12 18:48:38 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-12 20:47:54 +0000

    net-dialup/ppp: stable 2.4.7-r6 for sparc
    
    Bug: https://bugs.gentoo.org/657656
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 net-dialup/ppp/ppp-2.4.7-r6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Sergei Trofimovich gentoo-dev 2018-06-23 10:16:54 UTC
commit 6616b3d83c3681c823ce6b17ec826f6d67ae039a
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Fri Jun 22 13:13:56 2018 +0200

    net-dialup/ppp: Stable for HPPA too.
Comment 8 Larry the Git Cow gentoo-dev 2018-06-24 19:36:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccd7fc02af0067acfa9141f3097a323e93c36c1b

commit ccd7fc02af0067acfa9141f3097a323e93c36c1b
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 17:47:54 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 19:35:52 +0000

    net-dialup/ppp: stable 2.4.7-r6 for ppc, bug #657656
    
    Bug: https://bugs.gentoo.org/657656
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 net-dialup/ppp/ppp-2.4.7-r6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 9 Larry the Git Cow gentoo-dev 2018-06-24 20:21:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5c7c99b29cf8273f2cbaec8573e1b4c009be751

commit f5c7c99b29cf8273f2cbaec8573e1b4c009be751
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 19:56:40 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 20:20:45 +0000

    net-dialup/ppp: stable 2.4.7-r6 for ppc64, bug #657656
    
    Bug: https://bugs.gentoo.org/657656
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 net-dialup/ppp/ppp-2.4.7-r6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 10 Tobias Klausmann gentoo-dev 2018-06-26 14:04:15 UTC
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2018-07-07 10:45:17 UTC
arm stable, all arches done.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-07-08 01:25:07 UTC
@maintainer, please clean vulnerable.