CVE-2020-8597 icon indicating copy to clipboard operation
CVE-2020-8597 copied to clipboard

Published 20 hours ago verified publisher icon marcinguy

How to send PPP/EAP packet in ppp0

Open FizzFish opened this issue 5 years ago • 5 comments

Hello, I'm interested in this bug, and I think I understand the vulnerable point from the patch. However, I'm not clear to how to implement in PPP protocol. There are not so much information about PPP. I have made an experiment in 2 ubuntu machines.

  1. sudo pppd 10.1.1.1:10.1.1.2 nodetach pty "nc -l 3333" Using interface ppp0 Connect: ppp0 <---> /dev/pts/1 Deflate (15) compression enabled local IP address 10.1.1.1 remote IP address 10.1.1.2
  2. sudo pppd nodetach pty "nc 192.168.1.8 3333" Using interface ppp0 Connect: ppp0 <--> /dev/pts/2 Deflate (15) compression enabled local IP address 10.1.1.2 remote IP address 10.1.1.1

It seems that the PPP is established, and I can see the ppp0 inface in all two machines. But I don't know how to send packet with PPP protocol, I've tried two ways:

  1. sock = socket.socket(AF_PACKET, SOCK_RAW) sock.bind("eth0", 0) // sock.bind("ppp0",0) send(pkt)
  2. from scapy.all import * sendp(Ether(src, dst)/PPP()/raw)

I send the packet in a machine, but cannot watch any information in another by "tcpdump -i ppp0".

Please help me, thank you!

FizzFish avatar Mar 08 '20 06:03 FizzFish

You need to set up a pppoe-server, and dial up this server via pppoe on another machine. At this point, you can capture the relevant traffic through wireshark. For example, I get traffic on two virtual machines and then on ens33

WinMin avatar Mar 08 '20 07:03 WinMin

PPP is used in serial connections (modems, maybe also Mobiles). And also PPPoE (PPP over Ethernet - DSL). You can simulate both, I tried like @WinMin with PPPoE. Good luck!

marcinguy avatar Mar 08 '20 10:03 marcinguy

Serial variant: https://gist.github.com/nstarke/551433bcc72ff95588e168a0bb666124

marcinguy avatar Mar 08 '20 19:03 marcinguy

@marcinguy thanks for linking my gist here!

I took the approach of modifying the pppd binary to reproduce the crash, but given there are really no preconditions on LCP handshake state to cause the crash, you could craft a packet using scapy and then send it over the ppp0 interface using something like pyserial. Or, if you already have the ppp0 interface up, you could use scapy like this:

sendp(pkt, iface='ppp0')

nstarke avatar Mar 10 '20 15:03 nstarke

PoC: https://github.com/WinMin/CVE-2020-8597/blob/master/PoC.py

marcinguy avatar Mar 10 '20 19:03 marcinguy