SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  FreeRADIUS Vendors:  FreeRADIUS Server Project
FreeRADIUS Buffer Overflow in Processing CHAP Challenges Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007325
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 29 2003
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 0.9.0
Description:  A buffer overflow vulnerability was reported in FreeRADIUS in the processing of Challenge Handshake Authentication Protocol (CHAP) challenge strings. A remote user can execute arbitrary code on the target RADIUS server.

A vulnerability was reported in the 'radius.c' file in the rad_chap_encode() function that is used to encode a CHAP password. A combination of a user password and a CHAP challenge may overflow a buffer of length MAX_STRING_LEN. A remote user can supply a specially crafted CHAP challenge to execute arbitrary code on the system.

Masao NISHIKU is credited with discovery.
Impact:  A remote user can execute arbitrary code with the privileges of the RADIUS server.
Solution:  The vendor has released a fixed version (0.9.0), available at:

ftp://ftp.freeradius.org/pub/radius/freeradius.tar.gz
Vendor URL:  www.freeradius.org/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 29 Jul 2003 00:40:39 -0400
Subject:  FreeRADIUS

 

http://www.freeradius.org/radiusd/doc/ChangeLog

 > FreeRADIUS 0.9 ; $Date: 2003/07/04 21:01:29 $, urgency=low

 > 	* Fix CHAP related buffer overflow (ouch!), thanks to Masao NISHIKU.


The affected file appears to be 'radiusd/src/lib/radius.c', according to analysis of the 
CVS log entries:

 > Log entries

 >    * Description: rad_chap_encode buffer overflow fix courtesy of Masao NISHIKU
 >          o File: radiusd/src/lib/radius.c Revision: 1.99; Date: 2003/06/18 07:47:43;
 >            Author: fcusack; Lines: (+3 -3)


The flaw appears to reside in the rad_chap_encode() function that is used to encode a CHAP 
password.  A combination of a user password and a CHAP challenge may overflow a buffer of 
length MAX_STRING_LEN.

Conectiva reported that a remote user can execute arbitrary code on the system.


The fixed version (0.9) is available at:

ftp://ftp.freeradius.org/pub/radius/freeradius.tar.gz


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC