SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   FreeRADIUS Vendors:   FreeRADIUS Server Project
[Vendor Disputes Security Impact] FreeRADIUS Buffer Overflow in SMB_Connect_Server() Function Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017463
SecurityTracker URL:  http://securitytracker.com/id/1017463
CVE Reference:   CVE-2007-0080   (Links to External Site)
Updated:  Feb 10 2007
Original Entry Date:  Jan 2 2007
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 1.1.3 and prior versions
Description:   A vulnerability was reported in FreeRADIUS. A local user can execute arbitrary code on the target system.

A user can trigger a buffer overflow in the SMB_Connect_Server() function of the SMB_Handle_Type class and execute arbitrary code on the target system. The vulnerability exists because the Con_Handle parameter (con->desthost) is not properly validated.

Michal Bucko (sapheal) reported this vulnerability.

[Editor's note: The vendor disputes that this is a vulnerability, indicating that arbitrary code execution can only be effected by administrative users that already have write access to the server configuration files. We are contacting the original author for clarification.

The vendor's official statement is provided:

"This issue is not a security vulnerability. The exploit is available only to local administrators who have write access to the server configuration files. As such, this issue has no security impact on any system running FreeRADIUS."]

Impact:   A local user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.

[Editor's note: The vendor indicates that only privileged administrative users could trigger the overflow, which would not provide any additional privileges or impact beyond that expressly held by the administrative user anyway.]

Vendor URL:  www.freeradius.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 02 Jan 2007 13:10:50 +0100
Subject:  FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code

Synopsis:  
FreeRadius 1.1.3  SMB_Handle_Type SMB_Connect_Server arbitrary code execution

Product:   FreeRadius
Version:   <=1.1.3



Issue:
======

A critical security vulnerability has been found in FreeRadius 1.1.3.
Arbitrary code execution is possible due to improper bounds-checking. 


Details:
========
Function of the prototype:

SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle,
				   char *server, char *NTdomain)

when initializing (con->desthost) where con is SMB_Handle_Type class
object does not check for bounds. 




Affected Versions
=================

FreeRadius <=1.1.3



Kind regards,

Michal Bucko (sapheal)
hack.pl



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC