SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   FreeRADIUS Vendors:   FreeRADIUS Server Project
FreeRADIUS Buffer Overflow in Processing CHAP Challenges Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007325
SecurityTracker URL:  http://securitytracker.com/id/1007325
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 29 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.9.0
Description:   A buffer overflow vulnerability was reported in FreeRADIUS in the processing of Challenge Handshake Authentication Protocol (CHAP) challenge strings. A remote user can execute arbitrary code on the target RADIUS server.

A vulnerability was reported in the 'radius.c' file in the rad_chap_encode() function that is used to encode a CHAP password. A combination of a user password and a CHAP challenge may overflow a buffer of length MAX_STRING_LEN. A remote user can supply a specially crafted CHAP challenge to execute arbitrary code on the system.

Masao NISHIKU is credited with discovery.

Impact:   A remote user can execute arbitrary code with the privileges of the RADIUS server.
Solution:   The vendor has released a fixed version (0.9.0), available at:

ftp://ftp.freeradius.org/pub/radius/freeradius.tar.gz

Vendor URL:  www.freeradius.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  FreeRADIUS


http://www.freeradius.org/radiusd/doc/ChangeLog

 > FreeRADIUS 0.9 ; $Date: 2003/07/04 21:01:29 $, urgency=low

 > 	* Fix CHAP related buffer overflow (ouch!), thanks to Masao NISHIKU.


The affected file appears to be 'radiusd/src/lib/radius.c', according to analysis of the 
CVS log entries:

 > Log entries

 >    * Description: rad_chap_encode buffer overflow fix courtesy of Masao NISHIKU
 >          o File: radiusd/src/lib/radius.c Revision: 1.99; Date: 2003/06/18 07:47:43;
 >            Author: fcusack; Lines: (+3 -3)


The flaw appears to reside in the rad_chap_encode() function that is used to encode a CHAP 
password.  A combination of a user password and a CHAP challenge may overflow a buffer of 
length MAX_STRING_LEN.

Conectiva reported that a remote user can execute arbitrary code on the system.


The fixed version (0.9) is available at:

ftp://ftp.freeradius.org/pub/radius/freeradius.tar.gz



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC