Bugtraq mailing list archives
Buffer Overflow in version .14
From: jschachter () PSNW COM (Jesse Schachter)
Date: Mon, 24 Apr 2000 00:43:57 -0700
IC Radius version .14, and possibly earlier versions, contain a buffer overflow that occurs when trying to authenticate with a valid username longer than 24 characters. The culprit is in mysql.c, in the function sql_getvpdata. This function is normally run 4 times during authentication. The second time it is run, in the PW_VP_GROUPDATA section, several sprintf's are used to build the group query. The string which it all ends up in, querystr, is statically allocated 256 bytes. Under normal circumstances, this is ok, but the variable is right at its limits using the default setup. It might be different depending on how you have your table names and group names setup. However, it doesn't take much to overflow it. On my system, once it started to overflow, it began to overwrite the username pointer. Results may vary. To fix it, I just increased the size allocated to querystr to 512 bytes. However, in future versions of the code, it'd be cool to have some bounds checking, and more use of snprintf so the server doesn't segfault. _.,+=~`^"-.,_.,+=~`^"-*.,_.,+=~'`^"-.,_.,+=~`^"-.,_.,+=~`^"-.,_.,+=~`^"-., Jesse Schachter .,. Systems Administrator The Protosource Network .,. Main Number: (888) 643-8558 <JSchachter () PSNW COM> .,. Fax: (559) 490-8630 _.,+=~`^"-.,_.,+=~`^"-.,_.,+=~`^"-.,_.,+*=~`^"-.,_.,+=%~`^"-.,_.,+=~`^"-.,
Current thread:
- netkill - generic remote DoS attack stanislav shalunov (Apr 21)
- Buffer Overflow in version .14 Jesse Schachter (Apr 24)
- Re: Buffer Overflow in version .14 Alan DeKok (Apr 25)
- man-exploit for MANPAGER environment and a comment about the IMAP vuln psychoid () GMX NET (Apr 24)
- Re: man-exploit for MANPAGER environment... Mariusz Woloszyn (Apr 26)
- mtr-0.41 root exploit Przemyslaw Frasunek (Apr 24)
- Re: mtr-0.41 root exploit Kris Kennaway (Apr 24)
- Two Problems in IMP 2 Jose Nazario (Apr 24)
- Re: Two Problems in IMP 2 Ivan E. Moore II (Apr 25)
- Solaris x86 Xsun overflow. Theodor Ragnar Gislason (Apr 24)
- Solaris 7 x86 lp exploit Theodor Ragnar Gislason (Apr 24)
- Re: Solaris 7 x86 lp exploit Laurent LEVIER (Apr 24)
(Thread continues...)
- Buffer Overflow in version .14 Jesse Schachter (Apr 24)