Apache mod_auth_radius remote integer overflow
LSS Security Advisory #LSS-2005-01-02
http://security.lss.hr
---
Title : Apache mod_auth_radius remote integer overflow
Advisory ID : LSS-2005-01-02
Date : 2005-01-10
Advisory URL: :
http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02
Impact : Denial of service attack
Risk level : Low
Vulnerability type : Remote
Vendors contacted : 10.12.2004
---
===[ Overview
Mod_auth_radius is RADIUS authentication module for Apache. It allows
any Apache web-server to become a RADIUS client for authentication,
authorization and accounting requests. You will, however, need to supply
your own RADIUS server to perform the actual authentication.
Mod_auth_radius can be downloaded from
http://www.freeradius.org/mod_auth_radius/.
===[ Vulnerability
When mod_auth_radius authenticate user against remote RADIUS server,
it will send RADIUS packet with RADIUS_ACCESS_REQUEST code. Server
can responde with RADIUS packet with RADIUS_ACCESS_CHALLENGE code.
When mod_auth_radius gets RADIUS_ACCESS_CHALLENGE, with attribute
code set to RADIUS_STATE, and another attribute code in same packet set
to RADIUS_REPLY_MESSAGE, RADIUS server reply will be copied in local
buffer with function radcpy(). Size of the data that will be copied in
local buffer is taken from 'length' value of packet attribute received
from RADIUS server.
mod_auth_radius.c:
...
#define radcpy(STRING, ATTR) {memcpy(STRING, ATTR->data, ATTR->length - 2);\
(STRING)[ATTR->length - 2] = 0;}
...
Before the data is copied with memcpy() RADIUS attribute length is
subtracted by two. If attribute length is 1, after subtract it will be -1,
and memcpy will lead to segfault.
If an attacker can sniff RADIUS request packets (that is vulnerability by
itself), he can spoof RADIUS server replies with attribute length 1 that
will segfault mod_auth_radius.
===[ Affected versions
All mod_auth_radius versions. Tested on 1.5.4 (1.5.7).
===[ Fix
Not available yet.
===[ PoC Exploit
Proof of concept code can be downloaded at http://security.lss.hr/en/PoC
===[ Credits
Credits for this vulnerability goes to Leon Juranic.
===[ LSS Security Contact
LSS Security Team, <eXposed by LSS>
WWW : http://security.lss.hr
E-mail : security@xxxxxx
Tel : +385 1 6129 775