iDEFENSE Security Advisory 02.04.04: GNU Radius Remote Denial of Service Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 02.04.04
GNU Radius Remote Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=71
February 4, 2004
I. BACKGROUND
Radius is a server for remote user authentication and accounting. More
information about Radius is available at:
http://www.gnu.org/software/radius/radius.html.
II. DESCRIPTION
Remote exploitation of a denial of service condition within GNU Radius
can allow an attacker to crash the service. The problem specifically
exists within the rad_print_request() routine defined in lib/logger.c.
A snippet of this is shown here:
...
[0] stat_pair = avl_find(req->request, DA_ACCT_STATUS_TYPE);
if (stat_pair) {
[1] VALUE_PAIR *sid_pair = avl_find(req->request,
DA_ACCT_SESSION_ID);
[2] DICT_VALUE *dval = value_lookup(stat_pair->avp_lvalue,
"Acct-Status-Type");
char nbuf[64], *stat;
[3] if (dval)
stat = dval->name;
else {
[4] snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
stat = sbuf;
...
The denial of service condition is triggered upon the receipt of a
single UDP packet that contains the attribute Acct-Status-Type. On
line [0] within rad_print_request() the Acct-Status-Type attribute is
accessed. On line [1] the Acct-Session-Id attribute is accessed. On
line [2] the local pointer dval is set to point to the Acct-Status-Type
attribute value. Because no value was specified for this attribute,
dval is equal to NULL. The if-clause on line [3] fails causing line [4]
to be executed. At this point due to the fact that there is no
Acct-Session-Id attribute, sid_par is equal to NULL. This thereby makes
the reference illegal and causes the application to crash.
The following sample output demonstrates the crash of radiusd upon
receipt of the specially crafted packet:
[root@vmlinux radiusd]# gdb radiusd `pidof radiusd`
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
...
[removed for sake of brevity]
...
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
rad_print_request (req=0x8085790, outbuf=0xbffff510 "húÿ¿",
size=1031) at logger.c:102
102 snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
III. ANALYSIS
Successful exploitation allows unauthenticated remote attackers to cause
the radius daemon (radiusd) to crash. This thereby prevents legitimate
users from accessing systems reliant upon the affected radius server for
authentication.
iDEFENSE has proof of concept exploit code demonstrating the impact of
this vulnerability.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in GNU Radius
version 1.1.
V. RECOVERY
The Radius daemon (radiusd) must be restarted in order to resume normal
operation.
VI. VENDOR FIX
The latest version of GNU Radius, version 1.2, removes the vulnerable
function.
VII. VENDOR RESPONSE
Sergey Poznyakoff from the GNU Radius Project confirmed that the
vulnerability has been fixed in GNU Radius version 1.2.
VIII. CVE INFORMATION
TBD
IX. DISCLOSURE TIMELINE
December 8, 2003 Exploit acquired by iDEFENSE
January 29, 2003 Initial notification sent
January 29, 2003 iDEFENSE clients notified
February 2, 2004 iDEFENSE Advisory posted to bug-gnu-radius@xxxxxxx
February 2, 2004 Response received from Sergey Poznyakoff
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQCFMvfrkky7kqW5PEQJV1wCdF+iVKmRmhZyZ3dN2VFpyrk/IRtwAoI2g
T2Y1qgGc8cp0YIHEPIAY5VTd
=NtIA
-----END PGP SIGNATURE-----