Apache mod_auth_radius remote integer overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Apache mod_auth_radius remote integer overflow
From: LSS Security <exposed@xxxxxx>
Date: Tue, 11 Jan 2005 12:45:50 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.6i

                        LSS Security Advisory #LSS-2005-01-02
                               http://security.lss.hr

---

Title                   :  Apache mod_auth_radius remote integer overflow
Advisory ID             :  LSS-2005-01-02
Date                    :  2005-01-10
Advisory URL:           :  
http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02
Impact                  :  Denial of service attack
Risk level              :  Low 
Vulnerability type      :  Remote
Vendors contacted       :  10.12.2004


---




===[ Overview 

Mod_auth_radius is RADIUS authentication module for Apache. It allows
any Apache web-server to become a RADIUS client for authentication, 
authorization and accounting requests. You will, however, need to supply 
your own RADIUS server to perform the actual authentication.
Mod_auth_radius can be downloaded from 
http://www.freeradius.org/mod_auth_radius/.



===[ Vulnerability

When mod_auth_radius authenticate user against remote RADIUS server,
it will send RADIUS packet with RADIUS_ACCESS_REQUEST code. Server
can responde with RADIUS packet with RADIUS_ACCESS_CHALLENGE code.
When mod_auth_radius gets RADIUS_ACCESS_CHALLENGE, with  attribute 
code set to RADIUS_STATE, and another attribute code in same packet set
to RADIUS_REPLY_MESSAGE, RADIUS server reply will be copied in local
buffer with function radcpy(). Size of the data that will be copied in
local buffer is taken from 'length' value of packet attribute received
from RADIUS server.

mod_auth_radius.c:
...
#define radcpy(STRING, ATTR) {memcpy(STRING, ATTR->data, ATTR->length - 2);\
                              (STRING)[ATTR->length - 2] = 0;}
...

Before the data is copied with memcpy() RADIUS attribute length is 
subtracted by two. If attribute length is 1, after subtract it will be -1,
and memcpy will lead to segfault. 
If an attacker can sniff RADIUS request packets (that is vulnerability by 
itself), he can spoof RADIUS server replies with attribute length 1 that 
will segfault mod_auth_radius.



===[ Affected versions

All mod_auth_radius versions. Tested on 1.5.4 (1.5.7). 



===[ Fix

Not available yet.



===[ PoC Exploit

Proof of concept code can be downloaded at http://security.lss.hr/en/PoC



===[ Credits

Credits for this vulnerability goes to Leon Juranic. 



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : http://security.lss.hr
 E-mail : security@xxxxxx
 Tel    : +385 1 6129 775

Prev by Date: Metasploit Framework v2.3
Next by Date: [ GLSA 200501-11 ] Dillo: Format string vulnerability
Previous by thread: Metasploit Framework v2.3
Next by thread: [ GLSA 200501-11 ] Dillo: Format string vulnerability
Index(es):
- Date
- Thread