lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 03 Sep 2008 17:04:16 +0200
From: Laurent Butti <laurent.butti@...nge-ftgroup.com>
To: bugtraq@...urityfocus.com
Subject: Cisco Secure ACS EAP Parsing Vulnerability

Title:
------
* Cisco Secure ACS does not correctly parse the length of EAP-Response
packets which allows remote attackers to cause a denial of service and
possibly execute arbitrary code

Summary:
--------
* A remote attacker (acting as a RADIUS client) could send a specially
crafted EAP Response packet against a Cisco Secure ACS server in such a
way as to cause the CSRadius service to crash (reliable). This bug may
be triggered if the length field of an EAP-Response packet has a certain
big value, greater than the real packet length. Any EAP-Response can
trigger this bug: EAP-Response/Identity, EAP-Response/MD5,
EAP-Response/TLS...

Affected Products:
------------------
* All versions of Cisco Secure ACS that support EAP, to be more precise,
check the Cisco Advisory cisco-sr-20080903-csacs

Assigned CVE:
-------------
* CVE-2008-2441

Details:
--------
* An EAP packet is as follows:

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |   Identifier  |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Identity...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

* For example, the following packet will trigger the vulnerability and
crash CSRadius.exe:

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       2       |       0       |            0xdddd             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       1       |     abcd
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Attack Impact:
--------------
* Denial-of-service and possibly remote arbitrary code execution

Attack Vector:
--------------
* Have access as a RADIUS client (knowing or guessing the RADIUS shared
secret) or from an unauthenticated wireless device if the access point
relays malformed EAP frames

Timeline:
---------
* 2008-05-05 - Vulnerability reported to Cisco
* 2008-05-05 - Cisco acknowledged the notification
* 2008-05-05 - PoC sent to Cisco
* 2008-05-13 - Cisco confirmed the issue
* 2008-09-03 - Coordinated public release of advisory

Credits:
--------
* This vulnerability was discovered by Gabriel Campana and Laurent Butti
from France Telecom / Orange

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ