BugTraq
FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary codeexecution Jan 02 2007 12:10PM
sapheal hack pl (1 replies)
Re: FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution Jan 03 2007 12:34PM
3APA3A (3APA3A SECURITY NNOV RU)
Dear sapheal (at) hack (dot) pl [email concealed],

Please correct me, if I wrong, but as far as I can see, 'server'
parameter is taken from module configuration.

static CONF_PARSER module_config[] = {
{ "server", PW_TYPE_STRING_PTR, offsetof(rlm_smb_t,server), NULL, NULL},
{ "backup", PW_TYPE_STRING_PTR, offsetof(rlm_smb_t,backup), NULL, NULL},
{ "domain", PW_TYPE_STRING_PTR, offsetof(rlm_smb_t,domain), NULL, NULL},

{ NULL, -1, 0, NULL, NULL } /* end the list */
};

...

rcode = Valid_User(request->username->strvalue,
request->password->strvalue,
data->server, data->backup, data->domain);

That is, in order to "exploit" this vulnerability you must control
FreeRADIUS configuration file. If you can control configuration file
you can execute code in multiple ways, e.g. by specifying application
to be executed on every request. That is, there is no security impact
here.

--Tuesday, January 2, 2007, 3:10:50 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:

shp> Synopsis:
shp> FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution

shp> Product: FreeRadius
shp> Version: <=1.1.3

shp> Issue:
shp> ======

shp> A critical security vulnerability has been found in FreeRadius 1.1.3.
shp> Arbitrary code execution is possible due to improper bounds-checking.

shp> Details:
shp> ========
shp> Function of the prototype:

shp> SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle,
shp> char *server, char *NTdomain)

shp> when initializing (con->desthost) where con is SMB_Handle_Type class
shp> object does not check for bounds.

shp> Affected Versions
shp> =================

shp> FreeRadius <=1.1.3

shp> Kind regards,

shp> Michal Bucko (sapheal)
shp> hack.pl

--
~/ZARAZA
Ïîêà âû âî âëàñòè ïðîâèäåíèÿ, âàì íå óäàñòñÿ óìåðåòü ðàíüøå ñðîêà. (Òâåí)

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus