SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   FreeRADIUS Vendors:   FreeRADIUS Server Project
FreeRADIUS SMB_Logon_Server() Buffer Overflow May Let Remote Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1008308
SecurityTracker URL:  http://securitytracker.com/id/1008308
CVE Reference:   CVE-2003-0968   (Links to External Site)
Updated:  Dec 2 2003
Original Entry Date:  Nov 26 2003
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.3 and prior versions
Description:   A buffer overflow was reported in FreeRADIUS in the experimental rlm_smb module. If the module is enabled, a remote user can execute arbitrary code, potentially with root privileges.

S-Quadra reported that a remote user can supply a long User-Password attribute of more than 128 bytes to trigger a stack overflow. The flaw reportedly resides in the SMB_Logon_Server() function in 'src/modules/rlm_smb/smblib.c'.

If a network access server (NAS) does not limit the length of a User-Password attribute, a remote user may be able to exploit this flaw. Also, if a remote user knows the NAS shared secret, the remote user may be able to exploit the flaw.

The rlm_smb code is reportedly based on older pam_smb code and this flaw may be based on a similar flaw in a previous version of pam_smb.

Impact:   A remote user may be able to execute arbitrary code with root privileges on the target system.
Solution:   The vendor has issued a fix, available via CVS.
Vendor URL:  www.freeradius.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] FreeRADIUS <= 0.9.3 rlm_smb module stack overflow vulnerability


          
            S-Quadra Advisory #2003-11-26

Topic: FreeRADIUS <= 0.9.3 rlm_smb module stack overflow vulnerability
Severity: High
Vendor URL: http://www.freeradius.org
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031126.txt
Release date: 26 Nov 2003

1. DESCRIPTION

The FreeRADIUS Server (http://www.freeradius.org) is a high-performance 
and highly configurable GPL'd free RADIUS server.

The FreeRADIUS's experimental module rlm_smb allows radius server to 
perform NT-Domain authentication.
This module is not enabled by default and to use it you should compile 
radius server with '--with-experimental-modules' configuration option.
The exploitation of this vulnerability could enable an attacker in the 
worst case to gain root access on the system.

2. DETAILS

There exists a stack buffer overflow in rlm_smb module which can be 
triggered by a long User-Password attribute (> 128 bytes).
The offending code can be found in SMB_Logon_Server routine 
(src/modules/rlm_smb/smblib.c):
<snip>

/* Logon to the server. That is, do a session setup if we can. We do not 
do */
/* Unicode 
yet!                                                             */

int SMB_Logon_Server(SMB_Handle_Type Con_Handle, char *UserName,
             char *PassWord)

{ struct RFCNB_Pkt *pkt;
  int param_len, i, pkt_len, pass_len,a;
  char *p, pword[128];

  /* First we need a packet etc ... but we need to know what protocol 
has  */
  /* been negotiated to figure out if we can do it and what SMB format 
to  */
  /* use 
...                                                               */

  if (Con_Handle -> protocol < SMB_P_LanMan1) {

    SMBlib_errno = SMBlibE_ProtLow;
    return(SMBlibE_BAD);

  }

  strcpy(pword, PassWord);
  if (Con_Handle -> encrypt_passwords)
  {
    pass_len=24;
    SMBencrypt((uchar *) PassWord, (uchar *)Con_Handle -> 
Encrypt_Key,(uchar *)pword);
  }
  else
    pass_len=strlen(pword);

  ...
 }
</snip>

It may be possible to exploit this vulnerability under the following 
conditions:

1) NAS(Network Access Server) does not restrict the length of 
User-Password attribute to 128 bytes as it is specified in rfc2865.
2) The attacker knows NAS shared secret

The first is probably most simple, however we will try to exploit the 
situation 2.
In this case, the exploitation is also very simple and straightforward, 
we should just build Access-Request packet properly and send it to 
radius server.

Below is sample run of 'bugfree' FreeRADIUS <= 0.9.3 rlm_smb remote 
overflow exploit (PoC):

$ ./bugfree -p 1812 -u cparker -s testing123 192.168.3.12
FreeRADIUS <= 0.9.3 rlm_smb remote overflow exploit (PoC)
 
Trying to login as user "cparker" with secret "testing123" ...
Prepared the packet, 513 bytes
Attacking 192.168.3.12:1812 ...
Sent, checking for a shell ...
Success, proceed with commands
 
Linux lina.s-quadra.com 2.4.20 #1 Wed Nov 19 22:21:27 EST 2003 i686 unknown
uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
exit

In case exploitation attempt will fail, radius server will be killed.

3. PLATFORMS TESTED

We were able to succesfully exploit this vulnerability on the following 
platforms:

1. Linux RedHat 7.1 with FreeRADIUS 0.9.3 (source install)
2. Linux RedHat 7.3 with FreeRADIUS 0.9.3 (source install)

4. FIX INFORMATION

S-Quadra alerted FreeRADIUS development team to this issue on 24th 
November 2003.
The response from Alan DeKok <aland@ox.org> is below:

"The FreeRADIUS server does not build, install, or use the rlm_smb
module in the default configuration.  The module is clearly marked
"experimental", and is considered to be untested: use at your own
risk.  Anyone using the module has to go out of their way to
re-configure and re-build the server, and then edit the servers
configuration files to set up the module.  We view this vulnerability
as high risk (exploit is trivial), but low probability (few, if any,
servers use this module.)

The code in rlm_smb was taken from pam_smb over a year ago, and has
not been audited or updated since then.  It is therefore subject to
the same vulnerabilities as the pam_smb module.  This exploit appears
to related to one previously released for pam_smb.

The bug has been fixed in the current CVS archive of the server.
Any future release of the server will include the fix. "

5. CREDITS

Evgeny Legerov <e.legerov@s-quadra.com> is responsible for discovering 
this issue.

6. ABOUT

S-Quadra offers services in computer security, penetration testing and 
network assesment,
web application security, source code review and third party product 
vulnerability assesment,
forensic support and reverse engineering.

Security is an art and our goal is to bring responsible and high quality 
security
service to the IT market, customized to meet the unique needs of each 
individual client.

S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services 
we bring to our clients.

            S-Quadra Advisory #2003-11-26


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC