[UNIX] GNU Radius Remote Denial of Service Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 02/05/04
- Previous message: SecuriTeam: "[NT] TYPSoft FTP Server Denial of Service (Empty Username and Password)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 5 Feb 2004 14:59:40 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
GNU Radius Remote Denial of Service Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.gnu.org/software/radius/radius.html> Radius is "a server for
remote user authentication and accounting". Remote exploitation of a
denial of service condition within GNU Radius can allow an attacker to
crash the service.
DETAILS
Vulnerable systems:
* GNU Radius version 1.1
Immune systems:
* GNU Radius version 1.2
The problem specifically exists within the rad_print_request() routine
defined in lib/logger.c. A snippet of this is shown here:
..
[0] stat_pair = avl_find(req->request, DA_ACCT_STATUS_TYPE);
if (stat_pair) {
[1] VALUE_PAIR *sid_pair = avl_find(req->request,
DA_ACCT_SESSION_ID);
[2] DICT_VALUE *dval = value_lookup(stat_pair->avp_lvalue,
"Acct-Status-Type");
char nbuf[64], *stat;
[3] if (dval)
stat = dval->name;
else {
[4] snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
stat = sbuf;
..
The denial of service condition is triggered upon the receipt of a single
UDP packet that contains the attribute Acct-Status-Type. On line [0]
within rad_print_request() the Acct-Status-Type attribute is accessed. On
line [1] the Acct-Session-Id attribute is accessed. On line [2] the local
pointer dval is set to point to the Acct-Status-Type attribute value.
Because no value was specified for this attribute, dval is equal to NULL.
The if-clause on line [3] fails causing line [4] to be executed. At this
point because there is no Acct-Session-Id attribute, sid_par is equal to
NULL. This thereby refers illegal and causes the application to crash.
The following sample output demonstrates the crash of radiusd upon receipt
of the specially crafted packet:
[root@vmlinux radiusd]# gdb radiusd `pidof radiusd`
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
..
[removed for sake of brevity]
..
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
rad_print_request (req=0x8085790, outbuf=0xbffff510 "húÿ¿", size=1031) at
logger.c:102
102 snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
Analysis:
Successful exploitation allows unauthenticated remote attackers to cause
the radius daemon (radiusd) to crash. This thereby prevents legitimate
users from accessing systems reliant upon the affected radius server for
authentication.
iDEFENSE has proof of concept exploit code demonstrating the impact of
this vulnerability.
Vendor status:
GNU Radius 1.2 fixes the problem by removing the vulnerable function, says
Sergey Poznyakoff of the GNU Radius Project.
Disclosure timeline:
December 8, 2003 Exploit acquired by iDEFENSE
January 29, 2003 Initial vendor notification sent
January 29, 2003 iDEFENSE clients notified
February 2, 2004 Response received from Sergey Poznyakoff of GNU Radius
Project
February 2, 2004 Public disclosure on the bug-gnu-radius@gnu.org mailing
list
ADDITIONAL INFORMATION
The original advisory is available at:
<http://www.idefense.com/application/poi/display?id=71&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=71&type=vulnerabilities.
The information has been provided by <mailto:labs@iDefense.com> labs.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] TYPSoft FTP Server Denial of Service (Empty Username and Password)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] GNU Radius SNMP DoS (Invalid OID)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Remote exploitation of a denial
of service condition within GNU Radius ... allows attackers to crash the service by providing
malformed SNMP packet. ... The vulnerability was mitigated in GNU Radius version
1.2 which can be ... (Securiteam) - [UNIX] GNU Radius Format String
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... GNU Radius Format String
... authentication and accounting system. ... Remote exploitation of a format
string vulnerability in GNU Radius could ... (Securiteam) - [UNIX] GNU Radius SNMP String Length Integer Overflow DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * GNU Radius server versions
1.1 and 1.2 ... the radius daemon (radiusd) to crash. ... SNMP packets may lessen
exposure to this vulnerability in affected ... (Securiteam)
