Debian Bug report logs - #196063
Buffer overflow in Cistron RADIUSd in Debian/Stable

version graph

Package: radiusd-cistron; Maintainer for radiusd-cistron is (unknown);

Reported by: "David Luyer" <david_luyer@pacific.net.au>

Date: Wed, 4 Jun 2003 09:48:02 UTC

Severity: critical

Found in version 1.6.6-1

Fixed in version radiusd-cistron/1.6.6-2

Done: Norbert Veber <nveber@pyre.virge.net>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Norbert Veber <nveber@debian.org>:
Bug#196063; Package radiusd-cistron. (full text, mbox, link).


Acknowledgement sent to "David Luyer" <david_luyer@pacific.net.au>:
New Bug report received and forwarded. Copy sent to Norbert Veber <nveber@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "David Luyer" <david_luyer@pacific.net.au>
To: <submit@bugs.debian.org>
Cc: <miquels@cistron.nl>
Subject: Buffer overflow in Cistron RADIUSd in Debian/Stable
Date: Wed, 4 Jun 2003 19:35:45 +1000
Package: radiusd-cistron
Version: 1.6.6-1
Severity: critical

THIS IS QUITE POSSIBLY A REMOTE ROOT LEVEL HOLE, see below.

Have just tracked down recent segfaults from a Cistron RADIUS daemon to
NAS-Port numbers above 2^31.

In acct.c:

static void make_wtmp(struct radutmp *ut, struct utmp *wt, int status)
{
        char            buf[32];
[...]
#if UT_LINESIZE > 9
        sprintf(buf, "%03d:%.20s", ut->nas_port, s);
#else
        sprintf(buf, "%02d%.20s", ut->nas_port, s);
#endif

On Linux, UT_LINESIZE > 9.

If ut->nas_port > 2^31, the %03d can expand to a negative number, 
thus 11 characters.  And a colon.  And 20 characters.  And a NULL.
33 characters.

This is not 'just' a single byte overflow, it has side-effects that
end up scribbling other strings from previous packets through other
bits of memory (assuming that it is the only bug related to the
recently observed crashes, the observed crashes include parts of
another string being written across another structure in memory).

Vulnerability: If an attacker can obtain or guess a RADIUS key (for
example, from a shell server authenticating via RADIUS without securing
the pam_radius_auth.conf file), they would quite probably be able to
obtain root privileges on the RADIUS server through a careful sequence
of RADIUS accounting records.

Fix: sprintf(buf, "%03u... to avoid negative signs and conform to the
32 byte buffer.

Further comment: Don't run RADIUS as root if you have no good reason to!

David.
--
David Luyer                                     Phone:   +61 3 9674 7525
Network Development Manager    P A C I F I C    Fax:     +61 3 9698 4825
Pacific Internet (Australia)  I N T E R N E T   Mobile:  +61 4 1111 BYTE
http://www.pacific.net.au/                      NASDAQ:  PCNTF




Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Veber <nveber@debian.org>:
Bug#196063; Package radiusd-cistron. (full text, mbox, link).


Acknowledgement sent to Miquel van Smoorenburg <miquels@cistron-office.nl>:
Extra info received and forwarded to list. Copy sent to Norbert Veber <nveber@debian.org>. (full text, mbox, link).


Message #10 received at 196063@bugs.debian.org (full text, mbox, reply):

From: Miquel van Smoorenburg <miquels@cistron-office.nl>
To: David Luyer <david_luyer@pacific.net.au>
Cc: 196063@bugs.debian.org
Subject: Re: Buffer overflow in Cistron RADIUSd in Debian/Stable
Date: Wed, 4 Jun 2003 17:18:24 +0200
On 2003.06.04 11:35, David Luyer wrote:
> Package: radiusd-cistron
> Version: 1.6.6-1
> Severity: critical
> 
> THIS IS QUITE POSSIBLY A REMOTE ROOT LEVEL HOLE, see below.
> 
> Have just tracked down recent segfaults from a Cistron RADIUS daemon to
> NAS-Port numbers above 2^31.

That's not good.

> In acct.c:
> 
> static void make_wtmp(struct radutmp *ut, struct utmp *wt, int status)
> {
>         char            buf[32];
> [...]
> #if UT_LINESIZE > 9
>         sprintf(buf, "%03d:%.20s", ut->nas_port, s);
> #else
>         sprintf(buf, "%02d%.20s", ut->nas_port, s);
> #endif
> 
> On Linux, UT_LINESIZE > 9.
> 
> If ut->nas_port > 2^31, the %03d can expand to a negative number, 
> thus 11 characters.  And a colon.  And 20 characters.  And a NULL.
> 33 characters.

Okay, so the worst thing that can happen is that the return address
on the stack gets overwritten by a single zero. The attacker cannot
influence the return address itself, and its influence on the
contents of buf[32] are also very limited.

The single zero is the last digit of the return address (on i386), so the
attacker would be able to choose a return address near the original one.


> This is not 'just' a single byte overflow, it has side-effects that
> end up scribbling other strings from previous packets through other
> bits of memory (assuming that it is the only bug related to the
> recently observed crashes, the observed crashes include parts of
> another string being written across another structure in memory).

Well yes, because you return to some random address. Anything can
happen then, but I'm not sure it would be easy to influence, because
it's all just about 1 single byte.

> Vulnerability: If an attacker can obtain or guess a RADIUS key (for
> example, from a shell server authenticating via RADIUS without securing
> the pam_radius_auth.conf file), they would quite probably be able to
> obtain root privileges on the RADIUS server through a careful sequence
> of RADIUS accounting records.

Perhaps, but it would be very very hard

> Fix: sprintf(buf, "%03u... to avoid negative signs and conform to the
> 32 byte buffer.

Yes, good idea.

> Further comment: Don't run RADIUS as root if you have no good reason to!

Certainly.

1.6.7 will be out in an hour or so.

Mike.



Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Veber <nveber@debian.org>:
Bug#196063; Package radiusd-cistron. (full text, mbox, link).


Acknowledgement sent to "David Luyer" <david_luyer@pacific.net.au>:
Extra info received and forwarded to list. Copy sent to Norbert Veber <nveber@debian.org>. (full text, mbox, link).


Message #15 received at 196063@bugs.debian.org (full text, mbox, reply):

From: "David Luyer" <david_luyer@pacific.net.au>
To: "'Miquel van Smoorenburg'" <miquels@cistron-office.nl>
Cc: <196063@bugs.debian.org>
Subject: RE: Buffer overflow in Cistron RADIUSd in Debian/Stable
Date: Thu, 5 Jun 2003 09:35:06 +1000
> > This is not 'just' a single byte overflow, it has side-effects that
> > end up scribbling other strings from previous packets through other
> > bits of memory (assuming that it is the only bug related to the
> > recently observed crashes, the observed crashes include parts of
> > another string being written across another structure in memory).
> 
> Well yes, because you return to some random address. Anything can
> happen then, but I'm not sure it would be easy to influence, because
> it's all just about 1 single byte.

Well, this resulted consistently in control returning to the calling
function with the status and NAS IP in the calling function,
rad_accounting_radxtmp, pointing to with "fic.net." which is part of
either a hostname or realm out of a previous packet [ie a substring
of pacific.net.au] or an unrelated part of the naslist, as the packet
being processed only contained references to aus-dsl.net as a realm
and was sourced from telstra.net.

If I put efence around it the data which overwrote status and the NAS
IP was not so predictable (and a segfault still resulted, efence didn't
catch anything).

The normal failure was basically:

Wed Jun  4 09:35:15 2003: Error: NAS 46.99.105.102 port 0 unknown packet
type 779380078)
[accounting process segfault]
Wed Jun  4 09:35:15 2003: Error: MASTER: accounting process died - exit.

That's what implies to me that by very carefully examining this 
bug may be able to product an exploit - single byte overflows have
been turned into root exploits before, but it's sometimes taken
years for an exploit to come out, and I hope nobody will try that
hard on this one.  It would be very hard, if possible, and there's a
number of prerequisites for it to work as well (although Debian's
default of a world readable /etc/pam_radius_auth.conf would make
it somewhat easier on systems where it isn't subsequently secured).

David.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#196063; Package radiusd-cistron. (full text, mbox, link).


Acknowledgement sent to Norbert Veber <nveber@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #20 received at 196063@bugs.debian.org (full text, mbox, reply):

From: Norbert Veber <nveber@debian.org>
To: David Luyer <david_luyer@pacific.net.au>, 196063@bugs.debian.org
Cc: 'Miquel van Smoorenburg' <miquels@cistron-office.nl>
Subject: Re: Bug#196063: Buffer overflow in Cistron RADIUSd in Debian/Stable
Date: Sun, 8 Jun 2003 23:49:58 -0400
Anyone care to send me a patch? :)

Thanks,

Norbert



Information forwarded to debian-bugs-dist@lists.debian.org, Norbert Veber <nveber@debian.org>:
Bug#196063; Package radiusd-cistron. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Norbert Veber <nveber@debian.org>. (full text, mbox, link).


Message #25 received at 196063@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: 196063@bugs.debian.org
Subject: Patch
Date: Fri, 13 Jun 2003 22:13:48 -0400
[Message part 1 (text/plain, inline)]
This is the patch SuSE used in their advisory.

-- 
 - mdz
[nas-port.diff (text/plain, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Norbert Veber <nveber@pyre.virge.net>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "David Luyer" <david_luyer@pacific.net.au>:
Bug acknowledged by developer. (full text, mbox, link).


Message #30 received at 196063-close@bugs.debian.org (full text, mbox, reply):

From: Norbert Veber <nveber@pyre.virge.net>
To: 196063-close@bugs.debian.org
Subject: Bug#196063: fixed in radiusd-cistron 1.6.6-2
Date: Sat, 14 Jun 2003 17:47:08 -0400
We believe that the bug you reported is fixed in the latest version of
radiusd-cistron, which is due to be installed in the Debian FTP archive:

radiusd-cistron_1.6.6-2.diff.gz
  to pool/main/r/radiusd-cistron/radiusd-cistron_1.6.6-2.diff.gz
radiusd-cistron_1.6.6-2.dsc
  to pool/main/r/radiusd-cistron/radiusd-cistron_1.6.6-2.dsc
radiusd-cistron_1.6.6-2_i386.deb
  to pool/main/r/radiusd-cistron/radiusd-cistron_1.6.6-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 196063@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Veber <nveber@pyre.virge.net> (supplier of updated radiusd-cistron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 14 Jun 2003 17:30:45 -0400
Source: radiusd-cistron
Binary: radiusd-cistron
Architecture: source i386
Version: 1.6.6-2
Distribution: unstable
Urgency: high
Maintainer: Norbert Veber <nveber@debian.org>
Changed-By: Norbert Veber <nveber@pyre.virge.net>
Description: 
 radiusd-cistron - Radius server written by Cistron.
Closes: 190576 196063
Changes: 
 radiusd-cistron (1.6.6-2) unstable; urgency=high
 .
   * Security update (DSA-321-1).  Applied patch from SuSE.
     Closes: #196063
   * Inrceased MAX_REQUESTS in src/radius.h to 1000, allowing about 33
     requests per second.
     Closes: #190576
Files: 
 6082a7a88020b73a8aa27fb75db874c7 599 net extra radiusd-cistron_1.6.6-2.dsc
 1e3085804d1212d4a5c919a725533ebf 4350 net extra radiusd-cistron_1.6.6-2.diff.gz
 9dea052479090ee931bfc3ed86b0ad72 227110 net extra radiusd-cistron_1.6.6-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+65VYohfEw14utbQRAuxpAJ41jhRe0yYqJCGGNLChBU/rp4rkYACfTPNz
IabDdzRABrEYRpER6p3Uu/s=
=ZgO3
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 15:00:25 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.