Skip to content

Commit ea734bc

Browse files
phillip-stephensphillip-stephens
authored
validate pptp magic cookie in responses (#650)
1 parent 2abb776 commit ea734bc

File tree

1 file changed

+20
-7
lines changed

1 file changed

+20
-7
lines changed

modules/pptp/scanner.go

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ func (scanner *Scanner) GetTrigger() string {
115115

116116
// PPTP Start-Control-Connection-Request message constants
117117
const (
118-
PPTP_MAGIC_COOKIE = 0x1A2B3C4D
118+
PPTP_MAGIC_COOKIE = 0x1A2B3C4D // PPTP Magic Cookie in bytes, see RFC 2637 section 1.4
119119
PPTP_CONTROL_MESSAGE = 1
120120
PPTP_START_CONN_REQUEST = 1
121121
PPTP_PROTOCOL_VERSION = 0x0100 // Split into two 16-bit values for binary.BigEndian.PutUint16
@@ -147,16 +147,25 @@ func createSCCRMessage() []byte {
147147
}
148148

149149
// Read response from the PPTP server
150-
func (pptp *Connection) readResponse() (string, error) {
150+
func (pptp *Connection) readResponse() (string, []byte, error) {
151151
buffer := make([]byte, 1024)
152152
if err := pptp.conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
153-
return "", fmt.Errorf("could not set read deadline: %w", err)
153+
return "", nil, fmt.Errorf("could not set read deadline: %w", err)
154154
}
155155
n, err := pptp.conn.Read(buffer)
156156
if err != nil {
157-
return "", err
157+
return "", nil, fmt.Errorf("could not read response: %w", err)
158158
}
159-
return string(buffer[:n]), nil
159+
return string(buffer[:n]), buffer[:n], nil
160+
}
161+
162+
// Validate that the response contains the correct PPTP magic cookie
163+
func validateMagicCookie(response []byte) bool {
164+
if len(response) < 8 {
165+
return false
166+
}
167+
receivedMagicCookie := binary.BigEndian.Uint32(response[4:8])
168+
return receivedMagicCookie == PPTP_MAGIC_COOKIE
160169
}
161170

162171
// Scan performs the configured scan on the PPTP server
@@ -180,14 +189,18 @@ func (scanner *Scanner) Scan(ctx context.Context, dialGroup *zgrab2.DialerGroup,
180189
}
181190

182191
// Read the response
183-
response, err := pptp.readResponse()
192+
respStr, respBytes, err := pptp.readResponse()
184193
if err != nil {
185194
return zgrab2.TryGetScanStatus(err), &pptp.results, fmt.Errorf("error reading PPTP response from target %s: %w", target.String(), err)
186195
}
187196

188197
// Store the banner and control message
189198
pptp.results.Banner = string(request)
190-
pptp.results.ControlMessage = response
199+
pptp.results.ControlMessage = respStr
200+
201+
if !validateMagicCookie(respBytes) {
202+
return zgrab2.SCAN_PROTOCOL_ERROR, &pptp.results, fmt.Errorf("invalid PPTP magic cookie in response from target %s", target.String())
203+
}
191204

192205
return zgrab2.SCAN_SUCCESS, &pptp.results, nil
193206
}

0 commit comments

Comments
 (0)