lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031121173012.GH12505@mail>
From: david at crlf.net (David Maxwell)
Subject: FreeRADIUS 0.9.2 "Tunnel-Password" attribute handling vulnerability


Alan DeKok requested that I forward this reply to the full-disclosure
list. He is not subscribed here. I've signed it, as his PGP key was not
available.

						David Maxwell

---------- Forwarded message ----------

(I've asked that this message be forwarded to full-disclosure, as I am
 not subscribed to it, and don't have time for additional email traffic.)

  "S-Quadra Security Research" posted a vulnerability earlier today
about FreeRADIUS which is (to be polite) not entirely correct.

  The post says:

   "There exists a security vulnerability in FreeRADIUS up to 0.9.2,
    which may allow an attacker to mount a Denial of Service attack or
    possibly execute an arbitrary code (unproved)."

  The vulnerability exists from version 0.4.0 onwards, and is not
exploitable.  The vulnerability is a heap overflow, taking data from
the packet contents.  That data MUST form a valid RADIUS packet, which
significantly limits the possible exploits.  Further, as it is a heap
overflow, it cannot overwrite any local variables (it may overwrite
internal malloc() pointers, though).  When coupled with the "-1"
argument passed as the length to memcpy(), the end result is that the
data copy always results in a SEGV, before memcpy() returns.


  The post later says:

   "Access-Request packet with a malformed Tunnel-Password attribute
    triggers the invocation of memcpy() with a negative third
    argument, thereby causing radiusd to crash."

  This statement is only partially correct.  Examination of the code
posted in the summary makes it obvious that the vulnerability extends
to any RADIUS attribute containing a tag, not just Tunnel-Password.

  Further, ANY Access-Request packet containing a Tunnel-Password runs
into an unrelated (and previously unreported) bug, which causes the
server to de-reference a NULL pointer, and thus SEGV.  We note that
the skills of "S-Quadra Security Research" did not extend to
discovering either of these additional issues.


  The post later says:

   "S-Quadra alerted FreeRADIUS team to this issue on 20th November
   2003, fix was available in CVS after several hours.

   Unfortunately, the first attempt to contact with FreeRADIUS
   development team was made through post to freeradius-users mailing
   list ..."

  He failed to give the developers ANY prior notification about the
bug, so that a fix could be released before public disclosure of the
vulnerability.

  The post continues:

   "... as page http://www.freeradius.org/usage.html#help ("reporting
    bugs" section) will lead directly to the subscription form for
    this list."

  This is nothing more than an attempt to excuse his own laziness.  He
did not try "security@...eradius.org", "postmaster", "webmaster", or
"aland@...eradius.org", which is used to sign the public releases.
Additionally, 10 seconds of searching the list archives would have
revealed the developers private email addresses.  10 seconds of
searching the server source code would have yeilded the same result.
Reading the server documentation would have yielded further email
addresses at freeradius.org where patches and/or bugs may be reported
to.

  It further continues:

   "We actually admit that such behaviour is NOT correct and our
    futher FreeRADIUS security reports will be issued directly to
    freeradius-devel mailing list."

  This is his response, after we informed him that
"security@...eradius.org" was the appropriate place for future
notifications.  We are appalled.

  In short, he made no effort whatsoever to privately contact anyone
associated with the project.  And after he has been informed of an
appropriate forum for future reports, he publicly refuses to use that
method.  This behaviour is amateur, and inappropriate.
  


  When we agreed that the vulnerability existed, he contacted me
privately, and asked that FreeRADIUS coordinate release of the
vulnerability with him.  We refused, as he had already demonstrated an
inability to coordinate public release of information in an ethical
and professional manner.  His response was then to threaten
wide-spread publication of the vulnerability, and this time, to
include exploit code.

  We do not respond well to threats or attempts at blackmail.

  I sent him an official response as the FreeRADIUS Project Leader,
and requested that he include it in any further public release of the
vulnerability.  He has not done so.  I find this behaviour
reprehensible.

  FreeRADIUS released version 0.9.3 yesterday, which fixes the DoS
vulnerability.  We wish to have nothing more to do with "S-Quadra
Security Research".


  Alan DeKok.
  FreeRADIUS Project Leader.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031121/7f44c62d/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ