Bugtraq mailing list archives

Re: Buffer Overflow in version .14

From: aland () FREERADIUS ORG (Alan DeKok)
Date: Tue, 25 Apr 2000 10:25:57 -0400


Jesse Schachter <jschachter () PSNW COM> wrote:

IC Radius version .14, and possibly earlier versions, contain a buffer
overflow that occurs when trying to authenticate with a valid username
longer than 24 characters.


  There is a similar set of bugs in the Livingston v1.16 server, and
most of it's descendents.  It doesn't affect the user requests or
packets, but instead the configuration files.  (So it is not remotely
exploitable.)

  Any user who has write permission to the configuration files can
trivially engineer a buffer overflow, to obtain the full privelidges
of the UID which the RADIUS server is running under, usually root.

  However, in a WELL CONFIGURED system, the user running the RADIUS
server should be the only one who has write permission to the
configuration files.  So the only systems which are vulnerable are
ones which are misconfigured to start with.

  The problem still exists, however, and any potential security hole
should be closed.

  An edited sample of the problem code follows:

        ...
        char                    secret[20];
        char                    hostnm[128];
        char                    buffer[256];
        ...
        fgets(buffer, sizeof(buffer), clientfd);
        ...
        sscanf(buffer, "%s%s", hostnm, secret)
        ...

  The exploit can theoretically be used in almost any configuration
file which is read by the server, as there is little or no bounds
checking when reading from the files.

  The Livingston v2.1 server is vulnerable, as is the derived Cistron
RADIUS server, up to v1.6.0.  Cistron RADIUS v1.6.1 and later are not
vulnerable.  It is believed that all RADIUS servers which are
trivially derived from the Livingston 1.16 source are vulnerable.  It
is believed that most commercial RADIUS servers are not vulnerable to
this bug, as their source did not originate with the Livingston 1.16
server.

  There is no *known* exploit, however, and the vendors have not been
notified, due to the fact that the vulnerability only exists in
systems which have been misconfigured by the administrator.

  Alan DeKok.

Current thread:

netkill - generic remote DoS attack stanislav shalunov (Apr 21)
- Buffer Overflow in version .14 Jesse Schachter (Apr 24)
  - Re: Buffer Overflow in version .14 Alan DeKok (Apr 25)
- man-exploit for MANPAGER environment and a comment about the IMAP vuln psychoid () GMX NET (Apr 24)
  - Re: man-exploit for MANPAGER environment... Mariusz Woloszyn (Apr 26)
- mtr-0.41 root exploit Przemyslaw Frasunek (Apr 24)
  - Re: mtr-0.41 root exploit Kris Kennaway (Apr 24)
  - Two Problems in IMP 2 Jose Nazario (Apr 24)
    - Re: Two Problems in IMP 2 Ivan E. Moore II (Apr 25)
- Solaris x86 Xsun overflow. Theodor Ragnar Gislason (Apr 24)
- Solaris 7 x86 lp exploit Theodor Ragnar Gislason (Apr 24)
  - Re: Solaris 7 x86 lp exploit Laurent LEVIER (Apr 24)
- Re: netkill - generic remote DoS attack stanislav shalunov (Apr 24)

(Thread continues...)