lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031121173012.GH12505@mail> From: david at crlf.net (David Maxwell) Subject: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability Alan DeKok requested that I forward this reply to the full-disclosure list. He is not subscribed here. I've signed it, as his PGP key was not available. David Maxwell ---------- Forwarded message ---------- (I've asked that this message be forwarded to full-disclosure, as I am not subscribed to it, and don't have time for additional email traffic.) "S-Quadra Security Research" posted a vulnerability earlier today about FreeRADIUS which is (to be polite) not entirely correct. The post says: "There exists a security vulnerability in FreeRADIUS up to 0.9.2, which may allow an attacker to mount a Denial of Service attack or possibly execute an arbitrary code (unproved)." The vulnerability exists from version 0.4.0 onwards, and is not exploitable. The vulnerability is a heap overflow, taking data from the packet contents. That data MUST form a valid RADIUS packet, which significantly limits the possible exploits. Further, as it is a heap overflow, it cannot overwrite any local variables (it may overwrite internal malloc() pointers, though). When coupled with the "-1" argument passed as the length to memcpy(), the end result is that the data copy always results in a SEGV, before memcpy() returns. The post later says: "Access-Request packet with a malformed Tunnel-Password attribute triggers the invocation of memcpy() with a negative third argument, thereby causing radiusd to crash." This statement is only partially correct. Examination of the code posted in the summary makes it obvious that the vulnerability extends to any RADIUS attribute containing a tag, not just Tunnel-Password. Further, ANY Access-Request packet containing a Tunnel-Password runs into an unrelated (and previously unreported) bug, which causes the server to de-reference a NULL pointer, and thus SEGV. We note that the skills of "S-Quadra Security Research" did not extend to discovering either of these additional issues. The post later says: "S-Quadra alerted FreeRADIUS team to this issue on 20th November 2003, fix was available in CVS after several hours. Unfortunately, the first attempt to contact with FreeRADIUS development team was made through post to freeradius-users mailing list ..." He failed to give the developers ANY prior notification about the bug, so that a fix could be released before public disclosure of the vulnerability. The post continues: "... as page http://www.freeradius.org/usage.html#help ("reporting bugs" section) will lead directly to the subscription form for this list." This is nothing more than an attempt to excuse his own laziness. He did not try "security@...eradius.org", "postmaster", "webmaster", or "aland@...eradius.org", which is used to sign the public releases. Additionally, 10 seconds of searching the list archives would have revealed the developers private email addresses. 10 seconds of searching the server source code would have yeilded the same result. Reading the server documentation would have yielded further email addresses at freeradius.org where patches and/or bugs may be reported to. It further continues: "We actually admit that such behaviour is NOT correct and our futher FreeRADIUS security reports will be issued directly to freeradius-devel mailing list." This is his response, after we informed him that "security@...eradius.org" was the appropriate place for future notifications. We are appalled. In short, he made no effort whatsoever to privately contact anyone associated with the project. And after he has been informed of an appropriate forum for future reports, he publicly refuses to use that method. This behaviour is amateur, and inappropriate. When we agreed that the vulnerability existed, he contacted me privately, and asked that FreeRADIUS coordinate release of the vulnerability with him. We refused, as he had already demonstrated an inability to coordinate public release of information in an ethical and professional manner. His response was then to threaten wide-spread publication of the vulnerability, and this time, to include exploit code. We do not respond well to threats or attempts at blackmail. I sent him an official response as the FreeRADIUS Project Leader, and requested that he include it in any further public release of the vulnerability. He has not done so. I find this behaviour reprehensible. FreeRADIUS released version 0.9.3 yesterday, which fixes the DoS vulnerability. We wish to have nothing more to do with "S-Quadra Security Research". Alan DeKok. FreeRADIUS Project Leader. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031121/7f44c62d/attachment.bin
Powered by blists - more mailing lists