(Debian Issues Fix) Cistron RADIUS Server Single Byte Overflow Lets Remote Authenticated Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1006985 |
|
SecurityTracker URL: http://securitytracker.com/id/1006985
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 14 2003
|
Impact:
Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.6.6
|
Description:
A buffer overflow vulnerability was reported in the Cistron RADIUS server. A remote authenticated user may be able to execute arbitrary code on the target system with the privileges of the RADIUS server (typically root on many systems).
David Luyer reported a vulnerability in Cistron RADIUS. A remote user can supply a NAS-port higher than 2^31 or a long NAS-hostname to trigger the overflow. The flaw reportedly resides in the 'acct.c' file. A sprintf() call in the make_wtmp() function may write the specified port number as a negative number, thereby overwriting a buffer by one byte.
A remote authenticated user (i.e., a remote user that can obtain or guess a valid RADIUS key) may be able to supply a specially crafted sequence of RADIUS account records to trigger the overflow and potentially execute arbitrary code. The code will run with the privileges of the RADIUS daemon.
The original bug report is available at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196063
|
Impact:
A remote authenticated user may be able to execute arbitrary code with the privileges of the RADIUS process (which is typically root privileges).
|
Solution:
Debian has released a fix in version 1.6.6-1woody1 for the stable distribution (woody).
A fix for the old stable distribution (potato) and for the unstable distribution (sid) will be released later.
Debian GNU/Linux 3.0 alias woody:
Source archives:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1.dsc
Size/MD5 checksum: 611 b6a3c69ca08b1f6984147e64f7ddcaab
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1.diff.gz
Size/MD5 checksum: 4221 ad563e14d3f3da713973cd23e97dcef5
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6.orig.tar.gz
Size/MD5 checksum: 194154 16084870890fd2ec577dbe183b51a379
Alpha architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_alpha.deb
Size/MD5 checksum: 262652 b541753d08f0d124a9f48133eeac381e
ARM architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_arm.deb
Size/MD5 checksum: 235578 6277971c73bf52c22b5623f9131a8d9f
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_i386.deb
Size/MD5 checksum: 231960 9ca72ec922c0fd80e22d05a06176b265
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_ia64.deb
Size/MD5 checksum: 365566 ea7299686e6629039ecdf81abdebd5ee
HP Precision architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_hppa.deb
Size/MD5 checksum: 235502 886c9f6006c80dcf3c4c5305c76411b7
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_m68k.deb
Size/MD5 checksum: 225678 39c53545d15bb167550fd462a139fc35
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_mips.deb
Size/MD5 checksum: 246130 3d98988fb2128bc26735c1c5b7a41cde
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_mipsel.deb
Size/MD5 checksum: 245672 88e63e2d94973aa7e65176b81184ed80
PowerPC architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_powerpc.deb
Size/MD5 checksum: 229238 eb1d0a109bb66e3d39c902f561779afc
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_s390.deb
Size/MD5 checksum: 238530 396c1a07cc893b3d77a1ecfcbc0ee57a
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_sparc.deb
Size/MD5 checksum: 248882 0e39dd1a1310e1afedc4d39e2b8d2794
|
Vendor URL: www.radius.cistron.nl/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Debian)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 13 Jun 2003 22:17:08 -0400
Subject: [SECURITY] [DSA-321-1] New radiusd-cistron packages fix buffer overflow
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 321-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
June 13th, 2003 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : radiusd-cistron
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
radiusd-cistron contains a bug allowing a buffer overflow when a long
NAS-Port attribute is received. This could allow a remote attacker to
execute arbitrary code on the with the privileges of the RADIUS daemon
(usually root).
For the stable distribution (woody) this problem has been fixed in
version 1.6.6-1woody1.
For the old stable distribution (potato), this problem will be fixed
in a later advisory.
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you update your radiusd-cistron package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1.dsc
Size/MD5 checksum: 611 b6a3c69ca08b1f6984147e64f7ddcaab
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1.diff.gz
Size/MD5 checksum: 4221 ad563e14d3f3da713973cd23e97dcef5
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6.orig.tar.gz
Size/MD5 checksum: 194154 16084870890fd2ec577dbe183b51a379
Alpha architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_alpha.deb
Size/MD5 checksum: 262652 b541753d08f0d124a9f48133eeac381e
ARM architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_arm.deb
Size/MD5 checksum: 235578 6277971c73bf52c22b5623f9131a8d9f
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_i386.deb
Size/MD5 checksum: 231960 9ca72ec922c0fd80e22d05a06176b265
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_ia64.deb
Size/MD5 checksum: 365566 ea7299686e6629039ecdf81abdebd5ee
HP Precision architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_hppa.deb
Size/MD5 checksum: 235502 886c9f6006c80dcf3c4c5305c76411b7
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_m68k.deb
Size/MD5 checksum: 225678 39c53545d15bb167550fd462a139fc35
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_mips.deb
Size/MD5 checksum: 246130 3d98988fb2128bc26735c1c5b7a41cde
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_mipsel.deb
Size/MD5 checksum: 245672 88e63e2d94973aa7e65176b81184ed80
PowerPC architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_powerpc.deb
Size/MD5 checksum: 229238 eb1d0a109bb66e3d39c902f561779afc
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_s390.deb
Size/MD5 checksum: 238530 396c1a07cc893b3d77a1ecfcbc0ee57a
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/r/radiusd-cistron/radiusd-cistron_1.6.6-1woody1_sparc.deb
Size/MD5 checksum: 248882 0e39dd1a1310e1afedc4d39e2b8d2794
These files will probably be moved into the stable distribution on its
next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+6oWLArxCt0PiXR4RAn+IAJ9EzuzL/Mk21glaid5B68QvADjRIwCfWH74
h0qXqCcub0l8BtGTP+gBEbU=
=xdyu
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
