Bugtraq mailing list archives
Re: Buffer Overflow in version .14
From: aland () FREERADIUS ORG (Alan DeKok)
Date: Tue, 25 Apr 2000 10:25:57 -0400
Jesse Schachter <jschachter () PSNW COM> wrote:
IC Radius version .14, and possibly earlier versions, contain a buffer overflow that occurs when trying to authenticate with a valid username longer than 24 characters.
There is a similar set of bugs in the Livingston v1.16 server, and most of it's descendents. It doesn't affect the user requests or packets, but instead the configuration files. (So it is not remotely exploitable.) Any user who has write permission to the configuration files can trivially engineer a buffer overflow, to obtain the full privelidges of the UID which the RADIUS server is running under, usually root. However, in a WELL CONFIGURED system, the user running the RADIUS server should be the only one who has write permission to the configuration files. So the only systems which are vulnerable are ones which are misconfigured to start with. The problem still exists, however, and any potential security hole should be closed. An edited sample of the problem code follows: ... char secret[20]; char hostnm[128]; char buffer[256]; ... fgets(buffer, sizeof(buffer), clientfd); ... sscanf(buffer, "%s%s", hostnm, secret) ... The exploit can theoretically be used in almost any configuration file which is read by the server, as there is little or no bounds checking when reading from the files. The Livingston v2.1 server is vulnerable, as is the derived Cistron RADIUS server, up to v1.6.0. Cistron RADIUS v1.6.1 and later are not vulnerable. It is believed that all RADIUS servers which are trivially derived from the Livingston 1.16 source are vulnerable. It is believed that most commercial RADIUS servers are not vulnerable to this bug, as their source did not originate with the Livingston 1.16 server. There is no *known* exploit, however, and the vendors have not been notified, due to the fact that the vulnerability only exists in systems which have been misconfigured by the administrator. Alan DeKok.
Current thread:
- netkill - generic remote DoS attack stanislav shalunov (Apr 21)
- Buffer Overflow in version .14 Jesse Schachter (Apr 24)
- Re: Buffer Overflow in version .14 Alan DeKok (Apr 25)
- man-exploit for MANPAGER environment and a comment about the IMAP vuln psychoid () GMX NET (Apr 24)
- Re: man-exploit for MANPAGER environment... Mariusz Woloszyn (Apr 26)
- mtr-0.41 root exploit Przemyslaw Frasunek (Apr 24)
- Re: mtr-0.41 root exploit Kris Kennaway (Apr 24)
- Two Problems in IMP 2 Jose Nazario (Apr 24)
- Re: Two Problems in IMP 2 Ivan E. Moore II (Apr 25)
- Solaris x86 Xsun overflow. Theodor Ragnar Gislason (Apr 24)
- Solaris 7 x86 lp exploit Theodor Ragnar Gislason (Apr 24)
- Re: Solaris 7 x86 lp exploit Laurent LEVIER (Apr 24)
- Re: netkill - generic remote DoS attack stanislav shalunov (Apr 24)
(Thread continues...)
- Buffer Overflow in version .14 Jesse Schachter (Apr 24)