Topic: FreeRADIUS 0.9.2 "Tunnel-Password" attribute Handling Vulnerability Severity: Average Release date: 20 Nov 2003
1. DESCRIPTION
The FreeRADIUS Server (http://www.freeradius.org) is a high-performance and highly configurable GPL'd free RADIUS server.
There exists a security vulnerability in FreeRADIUS up to 0.9.2, which may allow an attacker
to mount a Denial of Service attack or possibly execute an arbitrary code (unproved).
2. DETAILS
Access-Request packet with a malformed Tunnel-Password attribute triggers the invocation of memcpy() with a negative third argument, thereby causing radiusd to crash.
Below is the snip of vulnerable code from src/lib/radius.c:
To exploit this vulnerability attacker does not need to know NAS (Network Access Server) secret as the NAS's IP address can be easily spoofed.
The code execution was unproved, but still remains possible.
Right, so you have no sample code, nor much of an understanding how radius works, apparently.
3. FIX INFORMATION
S-Quadra alerted FreeRADIUS team to this issue on 20th November 2003.
Uhhh, that's not fix in my book. And it would have been better to post to the -devel list, rather than -users, since *gasp* the developers are more likely to be found on the *deverlopers* list. Oh, but then you couldn't have broadcast your not so cleverly disguised solicitation for business. My bad.
5. ABOUT
It's unique, creative and innovative - just like the security services we bring to our clients.
Go hawk for customers somewhere else, please. KTHX.
-Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\------------------------------------------------------ \ Wholesale Internet Services - http://www.megapop.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
