Bug 104195

Marian,
I ran my radius-fuzzer against radiusd-livingston and the server crashs.

Mon Aug 22 14:00:56 2005: [13050] handle_proxy called for packet type 0 unexpectedly
Mon Aug 22 14:00:56 2005: [13050] exit on signal 100


> export CVS_RSH=ssh
> export CVSROOT=thomas@wotan.suse.de:/suse/thomas/Projekte/repository/
> cvs co radius-fuzzer
> less radius-fuzzer/INSTALL
...
> radius-fuzzer/src/radiusfuzzer --all --secret _rastesting_ --host 172.16.0.40

And then watch the radiusd die. :)

I'll inform the authors.

Created attachment 47273 [details]
audit-report.pdf

audit report so far.
i'll not inform the authors now. instead we should wait until Sebastian
finishes his review.

exec.c: Michael J. Hartwick <hartwick@hartwick.com>

rlm_ldap.c: Kostas Kalveras <kkalev@noc.ntua.gr>

rlm_sql.c: Mike Machado <mike@innercite.com>, Alan DeKok <aland@ox.org>

xlat.c: Alan DeKok <aland@ox.org>

sql_unixodbc.c: Dmitri Ageev <d_ageev@ortcc.ru>

rlm_realm.c: Alan DeKok <aland@ox.org>

session.c: Alan DeKok <aland@ox.org>

log.c: Chad Miller <cmiller@surfsouth.com>, Alan DeKok <aland@ox.org>, Miquel
van Smoorenburg <miquels@cistron.nl>

auth.c: Jeff Carneal <jeff@apex.net>, Miquel van Smoorenburg <miquels@cistron.nl>

Created attachment 47339 [details]
audit-report.pdf

final

contacted the authors, some email addresses are invalid know.

Created attachment 47725 [details]
audit-report.pdf

more final report sent to the authors

Patches are added to the freeradius CVS.

Livingston folks do not respond.

Wolfgang,
1.0.5 will be released shortly. Can we add it to SL10?

Otherwise here are the relevant patches:
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/lib/token.c.diff?r1=1.17&r2=1.18}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/main/session.c.diff?r1=1.27&r2=1.28}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/main/xlat.c.diff?r1=1.101&r2=1.102}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/main/xlat.c.diff?r1=1.72.2.6&r2=1.72.2.7}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_exec/exec.c.diff?r1=1.1&r2=1.2}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_exec/exec.c.diff?r1=1.2&r2=1.3}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c.diff?r1=1.153&r2=1.154}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c.diff?r1=1.122.2.6&r2=1.122.2.7}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/sql_unixodbc.c.diff?r1=1.13&r2=1.14}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/sql_unixodbc.c.diff?r1=1.11.2.1&r2=1.11.2.2}
www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/sql_unixodbc.c.diff?r1=1.14&r2=1.1

Created attachment 48121 [details]
audit-report.pdf

report after authors response

not all bugs are exploitable.

Fixing it in STABLE only is ok.

submitted to STABLE.

@security: Please close if it fixed for you.

Ok, Livingston does not respond... but it doesn't matter b/c is was just a quick
check and no code review. Should we drop radiusd-livingston?

will close this

CVE-2005-4744

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4744

Off-by-one error in the sql_error function in sql_unixodbc.c in
FreeRADIUS 1.0.2.5-5, and possibly other versions including 1.0.4,
might allow remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code by causing the external database query
to fail.  NOTE: this single issue is part of a larger-scale
disclosure, originally by SUSE, which reported multiple issues that
were disputed by FreeRADIUS.  Disputed issues included file descriptor
leaks, memory disclosure, LDAP injection, and other issues.  Without
additional information, the most recent FreeRADIUS report is being
regarded as the authoritative source for this CVE identifier.

CVE-2005-4744: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)