Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   FreeRADIUS Vendors:   FreeRADIUS Server Project
[Vendor Disputes Security Impact] FreeRADIUS Buffer Overflow in SMB_Connect_Server() Function Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017463
SecurityTracker URL:
CVE Reference:   CVE-2007-0080   (Links to External Site)
Updated:  Feb 10 2007
Original Entry Date:  Jan 2 2007
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 1.1.3 and prior versions
Description:   A vulnerability was reported in FreeRADIUS. A local user can execute arbitrary code on the target system.

A user can trigger a buffer overflow in the SMB_Connect_Server() function of the SMB_Handle_Type class and execute arbitrary code on the target system. The vulnerability exists because the Con_Handle parameter (con->desthost) is not properly validated.

Michal Bucko (sapheal) reported this vulnerability.

[Editor's note: The vendor disputes that this is a vulnerability, indicating that arbitrary code execution can only be effected by administrative users that already have write access to the server configuration files. We are contacting the original author for clarification.

The vendor's official statement is provided:

"This issue is not a security vulnerability. The exploit is available only to local administrators who have write access to the server configuration files. As such, this issue has no security impact on any system running FreeRADIUS."]

Impact:   A local user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.

[Editor's note: The vendor indicates that only privileged administrative users could trigger the overflow, which would not provide any additional privileges or impact beyond that expressly held by the administrative user anyway.]

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code

FreeRadius 1.1.3  SMB_Handle_Type SMB_Connect_Server arbitrary code execution

Product:   FreeRadius
Version:   <=1.1.3


A critical security vulnerability has been found in FreeRadius 1.1.3.
Arbitrary code execution is possible due to improper bounds-checking. 

Function of the prototype:

SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle,
				   char *server, char *NTdomain)

when initializing (con->desthost) where con is SMB_Handle_Type class
object does not check for bounds. 

Affected Versions

FreeRadius <=1.1.3

Kind regards,

Michal Bucko (sapheal)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC