lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 11 Jan 2005 12:45:50 +0100
From: LSS Security <exposed@....hr>
To: bugtraq@...urityfocus.com
Subject: Apache mod_auth_radius remote integer overflow



			LSS Security Advisory #LSS-2005-01-02
			       http://security.lss.hr

---

Title			:  Apache mod_auth_radius remote integer overflow
Advisory ID		:  LSS-2005-01-02
Date			:  2005-01-10
Advisory URL:		:  http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02
Impact			:  Denial of service attack
Risk level		:  Low 
Vulnerability type	:  Remote
Vendors contacted	:  10.12.2004


---




===[ Overview 

Mod_auth_radius is RADIUS authentication module for Apache. It allows
any Apache web-server to become a RADIUS client for authentication, 
authorization and accounting requests. You will, however, need to supply 
your own RADIUS server to perform the actual authentication.
Mod_auth_radius can be downloaded from http://www.freeradius.org/mod_auth_radius/.



===[ Vulnerability

When mod_auth_radius authenticate user against remote RADIUS server,
it will send RADIUS packet with RADIUS_ACCESS_REQUEST code. Server
can responde with RADIUS packet with RADIUS_ACCESS_CHALLENGE code.
When mod_auth_radius gets RADIUS_ACCESS_CHALLENGE, with  attribute 
code set to RADIUS_STATE, and another attribute code in same packet set
to RADIUS_REPLY_MESSAGE, RADIUS server reply will be copied in local
buffer with function radcpy(). Size of the data that will be copied in
local buffer is taken from 'length' value of packet attribute received
from RADIUS server.

mod_auth_radius.c:
...
#define radcpy(STRING, ATTR) {memcpy(STRING, ATTR->data, ATTR->length - 2);\
                              (STRING)[ATTR->length - 2] = 0;}
...

Before the data is copied with memcpy() RADIUS attribute length is 
subtracted by two. If attribute length is 1, after subtract it will be -1,
and memcpy will lead to segfault. 
If an attacker can sniff RADIUS request packets (that is vulnerability by 
itself), he can spoof RADIUS server replies with attribute length 1 that 
will segfault mod_auth_radius.



===[ Affected versions

All mod_auth_radius versions. Tested on 1.5.4 (1.5.7). 



===[ Fix

Not available yet.



===[ PoC Exploit

Proof of concept code can be downloaded at http://security.lss.hr/en/PoC



===[ Credits

Credits for this vulnerability goes to Leon Juranic. 



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : http://security.lss.hr
 E-mail : security@....hr
 Tel	: +385 1 6129 775

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ