Vulnerabilities > CVE-2002-0873 - Remote Security vulnerability in l2tpd
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Vulnerability in l2tpd 0.67 allows remote attackers to overwrite the vendor field via a long value in an attribute/value pair, possibly via a buffer overflow.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 6 |
Nessus
NASL family Gain a shell remotely NASL id L2TPD_OVERFLOW.NASL description The remote host is running a version of l2tpd prior to 0.67. This version is vulnerable to a buffer overflow that could allow an attacker to gain a root shell on this host. In addition, this program does not initialize its random number generator. Therefore, an attacker may predict some key values and hijack L2TP sessions established to this host. last seen 2020-06-01 modified 2020-06-02 plugin id 11388 published 2003-03-14 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11388 title l2tpd < 0.68 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11388); script_version ("1.20"); script_cve_id("CVE-2002-0872", "CVE-2002-0873"); script_bugtraq_id(5451); script_xref(name:"DSA", value:"152"); script_name(english:"l2tpd < 0.68 Multiple Vulnerabilities"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a network tunneling application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of l2tpd prior to 0.67. This version is vulnerable to a buffer overflow that could allow an attacker to gain a root shell on this host. In addition, this program does not initialize its random number generator. Therefore, an attacker may predict some key values and hijack L2TP sessions established to this host." ); script_set_attribute(attribute:"solution", value: "Upgrade to l2tpd 0.68 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/14"); script_set_attribute(attribute:"vuln_publication_date", value: "2004/04/09"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Determines the version of the remote l2tpd"); script_category(ACT_GATHER_INFO); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_dependencie("l2tp_detection.nasl"); script_require_ports("Services/udp/l2tp"); exit(0); } if ( ! get_kb_item("Services/udp/l2tp") ) exit(0); port = 1701; if (! get_udp_port_state(port)) exit(0, "UDP port "+port+" is not open."); function find_firmware(rep) { local_var firmware, i, len; for(i=12;i<strlen(rep);i++) { len = ord(rep[i]) * 256 + ord(rep[i+1]); if(ord(rep[i]) & 0x80)len -= 0x80 * 256; if(ord(rep[i+5]) == 6) { firmware = ord(rep[i+6]) * 256 + ord(rep[i+7]); return firmware; } else i += len - 1; } return NULL; } req = raw_string(0xC8, 2, 0, 20, 0, 0, 0, 0,0,0,0,0,0,8, 0,0,0,0,0,0); soc = open_sock_udp(port); send(socket:soc, data:req); r = recv(socket:soc, length:1024); if(!r)exit(0); close(soc); if(("l2tpd" >< r) || ("Adtran" >< r)) { firmware = find_firmware(rep:r); hi = firmware / 256; lo = firmware % 256; if((hi == 0x06) && (lo <= 0x70))security_hole(port:port, proto:"udp"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-152.NASL description Current versions of l2tpd, a layer 2 tunneling client/server program, forgot to initialize the random generator which made it vulnerable since all generated random number were 100% guessable. When dealing with the size of the value in an attribute value pair, too many bytes were able to be copied, which could lead into the vendor field being overwritten. These problems have been fixed in version 0.67-1.1 for the current stable distribution (woody) and in version 0.68-1 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn last seen 2020-06-01 modified 2020-06-02 plugin id 14989 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14989 title Debian DSA-152-1 : l2tpd - missing random seed