FreeRADIUS String Tag Negative Integer Overflow Lets Remote Users Crash the Service
SecurityTracker Alert ID: 1008263|
SecurityTracker URL: http://securitytracker.com/id/1008263
(Links to External Site)
Updated: Dec 2 2003|
Original Entry Date: Nov 20 2003
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 0.9.3|
A vulnerability was reported FreeRADIUS. A remote user may be able to cause the RADIUS service to crash.|
It is reported that a remote user with a permitted RADIUS client IP address (or forged address) can submit a specially crafted RADIUS packet to potentially cause the target FreeRADIUS service to crash. A 'tag' of type 'string' that is 2 - 3 octets in length may cause the target server to issue a memcpy() call with a negative length argument (lenght of '-1'), the report said. As a result, some of the RADIUS packet contents will overwrite portions of the heap.
It is also reported that a remote user can send any Access-Request packet with a specially crafted Tunnel-Password attribute to trigger a null pointer dereference and cause the server to crash.
A remote user can cause the target FreeRADIUS service to crash.|
The vendor has released a fixed version (0.9.3), available at:|
Vendor URL: www.freeradius.org/ (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Remote DoS in FreeRADIUS, all versions.|
Application: FreeRADIUS, all versions (http://www.freeradius.org)
A remote DoS, and possibly exploit, exists in all versions of the
FreeRADIUS server. All users should upgrade to the latest version, as
soon as it is officially release. For later announcements, see:
FreeRADIUS is a RADIUS authentication server, hosted at
The users help list had a post this morning from someone claiming to
be Evgeny Legerov <email@example.com>, about a bug in all
versions of the server.
He made no attempt to give the developers time to respond, and issue
a fix. He simply posted to the users list because that was the first
email address associated with the server that he stumbled across. He
made no attempt to contact the developers privately, whose contact
information litters the mailing lists, code, and documentation. He
made no attempt to submit the bug to 'firstname.lastname@example.org', as
requested in the server documentation. He made no attempt to contact
When we responded, and declined to coordinate future notifications
about the vulnerability (due to his lack of prior notification), he
threatened to widely publish the vulnerability, and to include exploit
code (which was not in the original post.)
We do not respond well to blackmail.
We are posting our response here before releasing an updated version
of the server, as the original notification is publicly available.
A RADIUS attribute which has a 'tag' (RFC 2868), and is of type
'string', and which is 2-3 octets long, may cause the server to call
'memcpy' with a length argument of '-1'.
The ~256 bytes of packet contents following the RADIUS attribute are
copied to the current structure on the heap, and any additional packet
contents which are copied will result in over-writing the heap. Since
RADIUS packets may only be 4k in length, after header overhead, the
attacker has about 3.5K of data to use in an attack.
The malformed packet MUST originate from an IP address listed as a
RADIUS client in the servers configuration. However, as RADIUS does
not require packet signatures, any machine on the net may send a
fraudulent UDP packet to the RADIUS server, and cause the DoS.
The reader is reminded that where possible, a RADIUS server SHOULD
be placed on a private network, with firewall rules to prevent unknown
machines from monitoring the RADIUS packet exchange, or from sending
packets to the server.
The original post claimed that the vulnerability applied only to the
Tunnel-Password attribute. That claim was false. Any 'string'
attribute containing a 'tag' could be used in the attack.
On additional investigation, the FreeRADIUS developers discovered
that any Access-Request packet containing a Tunnel-Password attribute
could cause the server to immediately crash, due to dereferencing a
The code is fixed in the current CVS archive of the server. A new
version will be released in a day or so. See the web site for
FreeRADIUS Project Leader