[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: FreeRADIUS 0.9.2 "Tunnel-Password" attribute Handling Vulnerability
From:       "Alan DeKok" <aland () ox ! org>
Date:       2003-11-20 15:04:04
[Download RAW message or body]

S-Quadra Security Research <research@s-quadra.com> wrote:
> There exists a security vulnerability in FreeRADIUS up to 0.9.2,
> which may allow an attacker to mount a Denial of Service attack or
> possibly execute an arbitrary code (unproved).

  I'm not sure about the code execution, but the bug is real.

> To exploit this vulnerability attacker does not need to know NAS 
> (Network Access Server) secret as the NAS's IP address can be easily 
> spoofed.

  This is a design flaw in the RADIUS protocol, sadly.  The packets
should really contain a Message-Authenticator attribute.

> The code execution was unproved, but still remains possible.

  Data from the packet is copied into the heap, not onto the stack.
This makes any attack more difficult to exploit.  The main
vulnerability here appears to be over-writing malloc's internal
pointers, on systems which put those pointers in the heap (e.g. not
OpenBSD).

  We will issue a formal announcement, and a new version of the server
soon.

  Alan DeKok.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic