lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 3 Jan 2007 15:34:48 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: sapheal@...k.pl
Cc: bugtraq@...urityfocus.com
Subject: Re: FreeRadius 1.1.3  SMB_Handle_Type SMB_Connect_Server arbitrary code execution

Dear sapheal@...k.pl,

 Please  correct  me,  if  I  wrong,  but  as far as I can see, 'server'
 parameter  is  taken  from  module  configuration.

static CONF_PARSER module_config[] = {
  { "server",  PW_TYPE_STRING_PTR, offsetof(rlm_smb_t,server), NULL,  NULL},
  { "backup",  PW_TYPE_STRING_PTR, offsetof(rlm_smb_t,backup), NULL,  NULL},
  { "domain",  PW_TYPE_STRING_PTR, offsetof(rlm_smb_t,domain), NULL,  NULL},

  { NULL, -1, 0, NULL, NULL }           /* end the list */
};

...

        rcode = Valid_User(request->username->strvalue,
                           request->password->strvalue,
                           data->server, data->backup, data->domain);


 That  is,  in  order  to  "exploit" this vulnerability you must control
 FreeRADIUS  configuration  file.  If you can control configuration file
 you  can  execute code in multiple ways, e.g. by specifying application
 to  be  executed on every request. That is, there is no security impact
 here.

--Tuesday, January 2, 2007, 3:10:50 PM, you wrote to bugtraq@...urityfocus.com:

shp> Synopsis:  
shp> FreeRadius 1.1.3  SMB_Handle_Type SMB_Connect_Server arbitrary code execution

shp> Product:   FreeRadius
shp> Version:   <=1.1.3



shp> Issue:
shp> ======

shp> A critical security vulnerability has been found in FreeRadius 1.1.3.
shp> Arbitrary code execution is possible due to improper bounds-checking.


shp> Details:
shp> ========
shp> Function of the prototype:

shp> SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle,
shp> 				   char *server, char *NTdomain)

shp> when initializing (con->desthost) where con is SMB_Handle_Type class
shp> object does not check for bounds. 




shp> Affected Versions
shp> =================

shp> FreeRadius <=1.1.3



shp> Kind regards,

shp> Michal Bucko (sapheal)
shp> hack.pl





-- 
~/ZARAZA
Ďîęŕ âű âî âëŕńňč ďđîâčäĺíč˙, âŕě íĺ óäŕńňń˙ óěĺđĺňü đŕíüřĺ ńđîęŕ. (Ňâĺí)

Powered by blists - more mailing lists