A 27-Year-Old Authentication Bypass in OpenBSD's PPP Stack

Submitted ⁨⁨1⁩ ⁨week⁩ ago⁩ by ⁨CiotBSD@billboard.bsd.cafe⁩ to ⁨openbsd@billboard.bsd.cafe⁩

https://billboard.bsd.cafe/topic/254/a-27-year-old-authentication-bypass-in-openbsd-s-ppp-stack

OpenBSD's sppp_pap_input function used attacker-controlled length fields as the bcmp comparison length for credential validation. Sending zero-length name and password fields caused bcmp to return 0 unconditionally, bypassing PAP authentication entirely. The vulnerability was introduced in 1999 and survived for 27 years before being fixed.

https://blog.argus-systems.ai/blog/openbsd-pap-27-year-auth-bypass.html

original

Comments

Sort:hotnew top

grahamperrin@billboard.bsd.cafe ⁨1⁩ ⁨week⁩ ago

… The code originated from FreeBSD, which itself derived it from Cronyx Engineering Ltd.'s implementation written by Serge Vakulenko in 1994-1996. …

I assume that FreeBSD is not affected.

original
- CiotBSD@billboard.bsd.cafe ⁨1⁩ ⁨week⁩ ago
  
  @grahamperrin said:
  
  … The code originated from FreeBSD, which itself derived it from Cronyx Engineering Ltd.'s implementation written by Serge Vakulenko in 1994-1996. …
  
  I assume that FreeBSD is not affected.
  
  Surely (!?)
  But I dont known! 😉
  
  original