Remote DoS in FreeRADIUS, all versions.

From: Alan DeKok (aland_at_freeradius.org)
Date: 11/20/03

  • Next message: advisory_at_rapid7.com: "R7-0016: Sybase ASE 12.5 Remote Password Array Denial of Service"
    To: bugtraq@securityfocus.com
    Date: Thu, 20 Nov 2003 15:03:30 -0500
    
    

    Application: FreeRADIUS, all versions (http://www.freeradius.org)

    Summary:

      A remote DoS, and possibly exploit, exists in all versions of the
    FreeRADIUS server. All users should upgrade to the latest version, as
    soon as it is officially release. For later announcements, see:

            http://www.freeradius.org

    Background:

      FreeRADIUS is a RADIUS authentication server, hosted at
    http://www.freeradius.org.

      The users help list had a post this morning from someone claiming to
    be Evgeny Legerov <e.legerov@s-quadra.com>, about a bug in all
    versions of the server.

      He made no attempt to give the developers time to respond, and issue
    a fix. He simply posted to the users list because that was the first
    email address associated with the server that he stumbled across. He
    made no attempt to contact the developers privately, whose contact
    information litters the mailing lists, code, and documentation. He
    made no attempt to submit the bug to 'patches@freeradius.org', as
    requested in the server documentation. He made no attempt to contact
    security@freeradius.org

      When we responded, and declined to coordinate future notifications
    about the vulnerability (due to his lack of prior notification), he
    threatened to widely publish the vulnerability, and to include exploit
    code (which was not in the original post.)

      We do not respond well to blackmail.

      We are posting our response here before releasing an updated version
    of the server, as the original notification is publicly available.

    Vulnerability:

      A RADIUS attribute which has a 'tag' (RFC 2868), and is of type
    'string', and which is 2-3 octets long, may cause the server to call
    'memcpy' with a length argument of '-1'.

      The ~256 bytes of packet contents following the RADIUS attribute are
    copied to the current structure on the heap, and any additional packet
    contents which are copied will result in over-writing the heap. Since
    RADIUS packets may only be 4k in length, after header overhead, the
    attacker has about 3.5K of data to use in an attack.

      The malformed packet MUST originate from an IP address listed as a
    RADIUS client in the servers configuration. However, as RADIUS does
    not require packet signatures, any machine on the net may send a
    fraudulent UDP packet to the RADIUS server, and cause the DoS.

      The reader is reminded that where possible, a RADIUS server SHOULD
    be placed on a private network, with firewall rules to prevent unknown
    machines from monitoring the RADIUS packet exchange, or from sending
    packets to the server.

      The original post claimed that the vulnerability applied only to the
    Tunnel-Password attribute. That claim was false. Any 'string'
    attribute containing a 'tag' could be used in the attack.

      On additional investigation, the FreeRADIUS developers discovered
    that any Access-Request packet containing a Tunnel-Password attribute
    could cause the server to immediately crash, due to dereferencing a
    NULL pointer.

    Fix:

      The code is fixed in the current CVS archive of the server. A new
    version will be released in a day or so. See the web site for
    announcements.

      Alan DeKok.
      FreeRADIUS Project Leader


  • Next message: advisory_at_rapid7.com: "R7-0016: Sybase ASE 12.5 Remote Password Array Denial of Service"

    Relevant Pages

    • Packet cap diff... for classic dhcp over winxp s/w bridge prob.
      ... the server simultaneously. ... DHCP Discover - Transaction ID 0xe5448fbb ... Time delta from previous packet: ... Time since reference or first frame: ...
      (comp.os.linux.networking)
    • DoS Attack against many RADIUS servers
      ... DoS attack against it. ... FreeRADIUS is a free software ... RADIUS authentication, authorization, and accounting server. ...
      (Bugtraq)
    • [Full-disclosure] Quick Blind TCP Connection Spoofing with SYN Cookies
      ... TCP uses 32 bit Seq/Ack numbers in order to make sure that both sides of a connection can actually receive packets from each other. ... these numbers make it relatively hard to spoof the source address because successful spoofing requires guessing the correct initial sequence number which is generated by the server in a non-guessable way. ... This article shows that the effort required for guessing a valid ISN can be reduced from hours to minutes if the server uses TCP SYN Cookies, which are enabled by default for various Linux distributions including Ubuntu and Debian. ... The Client sends a SYN packet to the server in order to initiate a connection. ...
      (Full-Disclosure)
    • Interesting TCP behaviour with large sends/small buffers
      ... The server, upon connection, sends a configurable number of bytes to ... I set the client's receive buffer size to 1MBps, ... packet before sending the next packet. ... ACK, according to the delayed ACK algorithm - 50KB bytes means 34 MSS- ...
      (microsoft.public.win32.programmer.networks)
    • Re: Sockets class question - sending TCP data
      ... Announcement DEV02, Workstation, Server, SQL Server, NT Workstation, NT ... Time delta from previous packet: ... Receiver's Name: DYNAMICSYSTEMS(Local Master Browser) ... You say that you did this in a Java applet. ...
      (microsoft.public.dotnet.languages.csharp)