S-Quadra Security Research <[EMAIL PROTECTED]> wrote: > There exists a security vulnerability in FreeRADIUS up to 0.9.2, > which may allow an attacker to mount a Denial of Service attack or > possibly execute an arbitrary code (unproved).
I'm not sure about the code execution, but the bug is real. > To exploit this vulnerability attacker does not need to know NAS > (Network Access Server) secret as the NAS's IP address can be easily > spoofed. This is a design flaw in the RADIUS protocol, sadly. The packets should really contain a Message-Authenticator attribute. > The code execution was unproved, but still remains possible. Data from the packet is copied into the heap, not onto the stack. This makes any attack more difficult to exploit. The main vulnerability here appears to be over-writing malloc's internal pointers, on systems which put those pointers in the heap (e.g. not OpenBSD). We will issue a formal announcement, and a new version of the server soon. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
