Apache mod_auth_radius remote integer overflow

From: LSS Security (exposed_at_lss.hr)
Date: 01/11/05

  • Next message: Thierry Carrez: "[ GLSA 200501-11 ] Dillo: Format string vulnerability"
    Date: Tue, 11 Jan 2005 12:45:50 +0100
    To: bugtraq@securityfocus.com

                            LSS Security Advisory #LSS-2005-01-02

    Title			:  Apache mod_auth_radius remote integer overflow
    Advisory ID		:  LSS-2005-01-02
    Date			:  2005-01-10
    Advisory URL:		:  http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02
    Impact			:  Denial of service attack
    Risk level		:  Low 
    Vulnerability type	:  Remote
    Vendors contacted	:  10.12.2004
    ===[ Overview 
    Mod_auth_radius is RADIUS authentication module for Apache. It allows
    any Apache web-server to become a RADIUS client for authentication, 
    authorization and accounting requests. You will, however, need to supply 
    your own RADIUS server to perform the actual authentication.
    Mod_auth_radius can be downloaded from http://www.freeradius.org/mod_auth_radius/.
    ===[ Vulnerability
    When mod_auth_radius authenticate user against remote RADIUS server,
    it will send RADIUS packet with RADIUS_ACCESS_REQUEST code. Server
    can responde with RADIUS packet with RADIUS_ACCESS_CHALLENGE code.
    When mod_auth_radius gets RADIUS_ACCESS_CHALLENGE, with  attribute 
    code set to RADIUS_STATE, and another attribute code in same packet set
    to RADIUS_REPLY_MESSAGE, RADIUS server reply will be copied in local
    buffer with function radcpy(). Size of the data that will be copied in
    local buffer is taken from 'length' value of packet attribute received
    from RADIUS server.
    #define radcpy(STRING, ATTR) {memcpy(STRING, ATTR->data, ATTR->length - 2);\
                                  (STRING)[ATTR->length - 2] = 0;}
    Before the data is copied with memcpy() RADIUS attribute length is 
    subtracted by two. If attribute length is 1, after subtract it will be -1,
    and memcpy will lead to segfault. 
    If an attacker can sniff RADIUS request packets (that is vulnerability by 
    itself), he can spoof RADIUS server replies with attribute length 1 that 
    will segfault mod_auth_radius.
    ===[ Affected versions
    All mod_auth_radius versions. Tested on 1.5.4 (1.5.7). 
    ===[ Fix
    Not available yet.
    ===[ PoC Exploit
    Proof of concept code can be downloaded at http://security.lss.hr/en/PoC
    ===[ Credits
    Credits for this vulnerability goes to Leon Juranic. 
    ===[ LSS Security Contact
     LSS Security Team, <eXposed by LSS>
     WWW    : http://security.lss.hr
     E-mail : security@LSS.hr
     Tel	: +385 1 6129 775

  • Next message: Thierry Carrez: "[ GLSA 200501-11 ] Dillo: Format string vulnerability"