Bugtraq mailing list archives
Re: FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 3 Jan 2007 15:34:48 +0300
Dear sapheal () hack pl, Please correct me, if I wrong, but as far as I can see, 'server' parameter is taken from module configuration. static CONF_PARSER module_config[] = { { "server", PW_TYPE_STRING_PTR, offsetof(rlm_smb_t,server), NULL, NULL}, { "backup", PW_TYPE_STRING_PTR, offsetof(rlm_smb_t,backup), NULL, NULL}, { "domain", PW_TYPE_STRING_PTR, offsetof(rlm_smb_t,domain), NULL, NULL}, { NULL, -1, 0, NULL, NULL } /* end the list */ }; ... rcode = Valid_User(request->username->strvalue, request->password->strvalue, data->server, data->backup, data->domain); That is, in order to "exploit" this vulnerability you must control FreeRADIUS configuration file. If you can control configuration file you can execute code in multiple ways, e.g. by specifying application to be executed on every request. That is, there is no security impact here. --Tuesday, January 2, 2007, 3:10:50 PM, you wrote to bugtraq () securityfocus com: shp> Synopsis: shp> FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution shp> Product: FreeRadius shp> Version: <=1.1.3 shp> Issue: shp> ====== shp> A critical security vulnerability has been found in FreeRadius 1.1.3. shp> Arbitrary code execution is possible due to improper bounds-checking. shp> Details: shp> ======== shp> Function of the prototype: shp> SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle, shp> char *server, char *NTdomain) shp> when initializing (con->desthost) where con is SMB_Handle_Type class shp> object does not check for bounds. shp> Affected Versions shp> ================= shp> FreeRadius <=1.1.3 shp> Kind regards, shp> Michal Bucko (sapheal) shp> hack.pl -- ~/ZARAZA Ďîęŕ âű âî âëŕńňč ďđîâčäĺíč˙, âŕě íĺ óäŕńňń˙ óěĺđĺňü đŕíüřĺ ńđîęŕ. (Ňâĺí)
Current thread:
- FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution sapheal (Jan 02)
- Re: FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution 3APA3A (Jan 03)