copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » ESB-2004.0096 -- iDEFENSE Security Advisory 02.04.04...
 

ESB-2004.0096 -- iDEFENSE Security Advisory 02.04.04 -- GNU Radius Remote Denial of Service Vulnerability
Date: 05 February 2004

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2004.0096 -- iDEFENSE Security Advisory 02.04.04
             GNU Radius Remote Denial of Service Vulnerability
                             05 February 2004

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                GNU Radius
Publisher:              iDEFENSE
Operating System:       Linux
                        UNIX
Impact:                 Denial of Service
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 02.04.04

GNU Radius Remote Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=71
February 4, 2004

I. BACKGROUND

Radius is a server for remote user authentication and accounting. More
information about Radius is available at:

    http://www.gnu.org/software/radius/radius.html.

II. DESCRIPTION

Remote exploitation of a denial of service condition within GNU Radius
can allow an attacker to crash the service. The problem specifically
exists within the rad_print_request() routine defined in lib/logger.c.
A snippet of this is shown here:

    ...
    [0] stat_pair = avl_find(req->request, DA_ACCT_STATUS_TYPE);
        if (stat_pair) {
    [1]     VALUE_PAIR *sid_pair = avl_find(req->request,
                            DA_ACCT_SESSION_ID);
    [2]     DICT_VALUE *dval = value_lookup(stat_pair->avp_lvalue,
                            "Acct-Status-Type");
            char nbuf[64], *stat;
    
    [3]     if (dval)
               stat = dval->name;
            else {
    [4]        snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
               stat = sbuf;
    ...

The denial of service condition is triggered upon the receipt of a
single UDP packet that contains the attribute Acct-Status-Type. On
line [0] within rad_print_request() the Acct-Status-Type attribute is
accessed. On line [1] the Acct-Session-Id attribute is accessed. On
line [2] the local pointer dval is set to point to the Acct-Status-Type
attribute value. Because no value was specified for this attribute,
dval is equal to NULL. The if-clause on line [3] fails causing line [4]
to be executed. At this point due to the fact that there is no
Acct-Session-Id attribute, sid_par is equal to NULL. This thereby makes
the reference illegal and causes the application to crash.

The following sample output demonstrates the crash of radiusd upon
receipt of the specially crafted packet:

    [root@vmlinux radiusd]# gdb radiusd `pidof radiusd`
    GNU gdb Red Hat Linux (5.1.90CVS-5)
    Copyright 2002 Free Software Foundation, Inc.
    ...
    [removed for sake of brevity]
    ...
    (gdb) c
    Continuing.
    
    Program received signal SIGSEGV, Segmentation fault.
    rad_print_request (req=0x8085790, outbuf=0xbffff510 "húÿ¿",
                       size=1031) at logger.c:102
    102 snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);

III. ANALYSIS

Successful exploitation allows unauthenticated remote attackers to cause
the radius daemon (radiusd) to crash. This thereby prevents legitimate
users from accessing systems reliant upon the affected radius server for
authentication.

iDEFENSE has proof of concept exploit code demonstrating the impact of
this vulnerability.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in GNU Radius
version 1.1.

V. RECOVERY

The Radius daemon (radiusd) must be restarted in order to resume normal
operation.

VI. VENDOR FIX

The latest version of GNU Radius, version 1.2, removes the vulnerable
function.

VII. VENDOR RESPONSE

Sergey Poznyakoff from the GNU Radius Project confirmed that the
vulnerability has been fixed in GNU Radius version 1.2.

VIII. CVE INFORMATION

TBD

IX. DISCLOSURE TIMELINE

December 8, 2003    Exploit acquired by iDEFENSE
January 29, 2003    Initial notification sent
January 29, 2003    iDEFENSE clients notified
February 2, 2004    iDEFENSE Advisory posted to bug-gnu-radius@gnu.org
February 2, 2004    Response received from Sergey Poznyakoff

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCFMvfrkky7kqW5PEQJV1wCdF+iVKmRmhZyZ3dN2VFpyrk/IRtwAoI2g
T2Y1qgGc8cp0YIHEPIAY5VTd
=NtIA
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQCHmNih9+71yA2DNAQHcNgP/bgRpdwoh01N0EkpjmVgJA39VOct4dREn
bUi2DfPjH1Td9T03LKkq0fJzM4e8VFqyJESrDJ1UB66Qbz8ebA7fYAVshrNwh3hy
/HKAvvp7cs/7GBEiCp4MkBXZbPX0h8nJ0tNjzoVs+o+8WuQItTTVEbdJHPqpjjEI
L6xD/RBVjns=
=0lgV
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1&it=3818