[UNIX] FreeRADIUS rlm_smb Module Stack Overflow Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 11/26/03

  • Next message: SecuriTeam: "[UNIX] Anonymous Mail Forwarding Vulnerabilities in vBPortal" 
    To: list@securiteam.com
Date: 26 Nov 2003 14:56:38 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      FreeRADIUS rlm_smb Module Stack Overflow Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The <http://www.freeradius.org/> FreeRADIUS Server is "a high-performance
    and highly configurable GPL'd free RADIUS server".

    The FreeRADIUS's experimental module rlm_smb allows RADIUS server to
    perform NT-Domain authentication. This module is not enabled by default
    and to use it you should compile RADIUS server with
    '--with-experimental-modules' configuration option. The exploitation of
    this vulnerability could enable an attacker in the worst case to gain root
    access on the system.

    DETAILS

    Vulnerable systems:
     * FreeRADIUS version 0.9.3 and prior

    There exists a stack buffer overflow in rlm_smb module which can be
    triggered by a long User-Password attribute (> 128 bytes). The offending
    code can be found in SMB_Logon_Server routine
    (src/modules/rlm_smb/smblib.c):
    /* Logon to the server. That is, do a session setup if we can. We do not
    do */
    /* Unicode
    yet! */

    int SMB_Logon_Server(SMB_Handle_Type Con_Handle, char *UserName,
                 char *PassWord)

    { struct RFCNB_Pkt *pkt;
      int param_len, i, pkt_len, pass_len,a;
      char *p, pword[128];

      /* First we need a packet etc ... but we need to know what protocol
    has */
      /* been negotiated to figure out if we can do it and what SMB format
    to */
      /* use
    .. */

      if (Con_Handle -> protocol < SMB_P_LanMan1) {

        SMBlib_errno = SMBlibE_ProtLow;
        return(SMBlibE_BAD);

      }

      strcpy(pword, PassWord);
      if (Con_Handle -> encrypt_passwords)
      {
        pass_len=24;
        SMBencrypt((uchar *) PassWord, (uchar *)Con_Handle ->
    Encrypt_Key,(uchar *)pword);
      }
      else
        pass_len=strlen(pword);

      ...
     }

    It may be possible to exploit this vulnerability under the following
    conditions:
    1) NAS(Network Access Server) does not restrict the length of
    User-Password attribute to 128 bytes as it is specified in RFC2865.

    2) The attacker knows NAS shared secret

    The first is probably most simple. However, we will try to exploit the
    situation 2. In this case, the exploitation is also very simple and
    straightforward, we should just build Access-Request packet properly and
    send it to radius server.

    Solution:
    S-Quadra alerted FreeRADIUS development team to this issue on 24th
    November 2003. The response from Alan DeKok <aland@ox.org> is below:

    "The FreeRADIUS server does not build, install, or use the rlm_smb module
    in the default configuration. The module is clearly marked "experimental",
    and is considered to be untested: use at your own risk. Anyone using the
    module has to go out of their way to re-configure and re-build the server,
    and then edit the servers configuration files to set up the module. We
    view this vulnerability as high risk (exploit is trivial), but low
    probability (few, if any, servers use this module.)

    The code in rlm_smb was taken from pam_smb over a year ago, and has not
    been audited or updated since then. It is therefore subject to the same
    vulnerabilities as the pam_smb module. This exploit appears to related to
    one previously released for pam_smb.

    The bug has been fixed in the current CVS archive of the server. Any
    future release of the server will include the fix."

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:e.legerov@s-quadra.com>
    S-Quadra Security Research.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Anonymous Mail Forwarding Vulnerabilities in vBPortal"

    Relevant Pages