Movatterモバイル変換

[0]ホーム
URL:

Home page logo
bugtraq logo

Bugtraqmailing list archives

PreviousBy DateNext
PreviousBy ThreadNext

Apache mod_auth_radius remote integer overflow

From: LSS Security <exposed () lss hr>
Date: Tue, 11 Jan 2005 12:45:50 +0100
                        LSS Security Advisory #LSS-2005-01-02http://security.lss.hr---Title                   :  Apache mod_auth_radius remote integer overflowAdvisory ID             :  LSS-2005-01-02Date                    :  2005-01-10Advisory URL:           :http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02Impact                  :  Denial of service attackRisk level              :  Low Vulnerability type      :  RemoteVendors contacted       :  10.12.2004---===[ Overview Mod_auth_radius is RADIUS authentication module for Apache. It allowsany Apache web-server to become a RADIUS client for authentication, authorization and accounting requests. You will, however, need to supply your own RADIUS server to perform the actual authentication.Mod_auth_radius can be downloaded fromhttp://www.freeradius.org/mod_auth_radius/.===[ VulnerabilityWhen mod_auth_radius authenticate user against remote RADIUS server,it will send RADIUS packet with RADIUS_ACCESS_REQUEST code. Servercan responde with RADIUS packet with RADIUS_ACCESS_CHALLENGE code.When mod_auth_radius gets RADIUS_ACCESS_CHALLENGE, with  attribute code set to RADIUS_STATE, and another attribute code in same packet setto RADIUS_REPLY_MESSAGE, RADIUS server reply will be copied in localbuffer with function radcpy(). Size of the data that will be copied inlocal buffer is taken from 'length' value of packet attribute receivedfrom RADIUS server.mod_auth_radius.c:...#define radcpy(STRING, ATTR) {memcpy(STRING, ATTR->data, ATTR->length - 2);\                              (STRING)[ATTR->length - 2] = 0;}...Before the data is copied with memcpy() RADIUS attribute length is subtracted by two. If attribute length is 1, after subtract it will be -1,and memcpy will lead to segfault. If an attacker can sniff RADIUS request packets (that is vulnerability by itself), he can spoof RADIUS server replies with attribute length 1 that will segfault mod_auth_radius.===[ Affected versionsAll mod_auth_radius versions. Tested on 1.5.4 (1.5.7). ===[ FixNot available yet.===[ PoC ExploitProof of concept code can be downloaded athttp://security.lss.hr/en/PoC===[ CreditsCredits for this vulnerability goes to Leon Juranic. ===[ LSS Security Contact  LSS Security Team, <eXposed by LSS>  WWW    :http://security.lss.hr E-mail : security () LSS hr Tel    : +385 1 6129 775
PreviousBy DateNext
PreviousBy ThreadNext

Current thread:

[8]ページ先頭
©2009-2026 Movatter.jp