[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 49/04 - GNU - GNU Radius Remote Denial of Service Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 49/04 dated 05.02.04  Time: 11:29
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
iDEFENSE Security Advisory 02.04.04
GNU Radius Remote Denial of Service Vulnerability

Detail
======
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 02.04.04

GNU Radius Remote Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=71
February 4, 2004

I. BACKGROUND

Radius is a server for remote user authentication and accounting. More
information about Radius is available at:

    http://www.gnu.org/software/radius/radius.html.

II. DESCRIPTION

Remote exploitation of a denial of service condition within GNU Radius
can allow an attacker to crash the service. The problem specifically
exists within the rad_print_request() routine defined in lib/logger.c.
A snippet of this is shown here:

    ...
    [0] stat_pair = avl_find(req->request, DA_ACCT_STATUS_TYPE);
        if (stat_pair) {
    [1]     VALUE_PAIR *sid_pair = avl_find(req->request,
                            DA_ACCT_SESSION_ID);
    [2]     DICT_VALUE *dval = value_lookup(stat_pair->avp_lvalue,
                            "Acct-Status-Type");
            char nbuf[64], *stat;

    [3]     if (dval)
               stat = dval->name;
            else {
    [4]        snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
               stat = sbuf;
    ...

The denial of service condition is triggered upon the receipt of a
single UDP packet that contains the attribute Acct-Status-Type. On
line [0] within rad_print_request() the Acct-Status-Type attribute is
accessed. On line [1] the Acct-Session-Id attribute is accessed. On
line [2] the local pointer dval is set to point to the Acct-Status-Type
attribute value. Because no value was specified for this attribute,
dval is equal to NULL. The if-clause on line [3] fails causing line [4]
to be executed. At this point due to the fact that there is no
Acct-Session-Id attribute, sid_par is equal to NULL. This thereby makes
the reference illegal and causes the application to crash.

The following sample output demonstrates the crash of radiusd upon
receipt of the specially crafted packet:

    [root@vmlinux radiusd]# gdb radiusd `pidof radiusd`
    GNU gdb Red Hat Linux (5.1.90CVS-5)
    Copyright 2002 Free Software Foundation, Inc.
    ...
    [removed for sake of brevity]
    ...
    (gdb) c
    Continuing.

    Program received signal SIGSEGV, Segmentation fault.
    rad_print_request (req=0x8085790, outbuf=0xbffff510 "húÿ¿",
                       size=1031) at logger.c:102
    102 snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);

III. ANALYSIS

Successful exploitation allows unauthenticated remote attackers to cause
the radius daemon (radiusd) to crash. This thereby prevents legitimate
users from accessing systems reliant upon the affected radius server for
authentication.

iDEFENSE has proof of concept exploit code demonstrating the impact of
this vulnerability.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in GNU Radius
version 1.1.

V. RECOVERY

The Radius daemon (radiusd) must be restarted in order to resume normal
operation.

VI. VENDOR FIX

The latest version of GNU Radius, version 1.2, removes the vulnerable
function.

VII. VENDOR RESPONSE

Sergey Poznyakoff from the GNU Radius Project confirmed that the
vulnerability has been fixed in GNU Radius version 1.2.

VIII. CVE INFORMATION

TBD

IX. DISCLOSURE TIMELINE

December 8, 2003    Exploit acquired by iDEFENSE
January 29, 2003    Initial notification sent
January 29, 2003    iDEFENSE clients notified
February 2, 2004    iDEFENSE Advisory posted to bug-gnu-radius@xxxxxxx
February 2, 2004    Response received from Sergey Poznyakoff

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCFMvfrkky7kqW5PEQJV1wCdF+iVKmRmhZyZ3dN2VFpyrk/IRtwAoI2g
T2Y1qgGc8cp0YIHEPIAY5VTd
=NtIA
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of iDEFENSE for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQCIppIpao72zK539AQETxQP/aw9+DKRR0IV2YJSNmHYTDzxNeVwXHrxC
tc7PT9isHoCYkczMURHHGdpCezzdOC8iuM3dLaZJgR/1uPScCdqWCt52DeslaRz6
BGeA5QQEGUQ/KP7dkq2rjhxYYkqlWn/8CrfArkPAgSgugODY+tOITgHyqkVY87g3
m8/2el3Whns=
=EF0w
-----END PGP SIGNATURE-----