Bugzilla – Bug 104195
AUDIT-0: {Free-,Livingston}RADIUS
Last modified: 2021-11-11 14:42:49 UTC
The freeradius server needs some testing because it's widely used and *very* complex peace of code.
Marian, I ran my radius-fuzzer against radiusd-livingston and the server crashs. Mon Aug 22 14:00:56 2005: [13050] handle_proxy called for packet type 0 unexpectedly Mon Aug 22 14:00:56 2005: [13050] exit on signal 100 > export CVS_RSH=ssh > export CVSROOT=thomas@wotan.suse.de:/suse/thomas/Projekte/repository/ > cvs co radius-fuzzer > less radius-fuzzer/INSTALL ... > radius-fuzzer/src/radiusfuzzer --all --secret _rastesting_ --host 172.16.0.40 And then watch the radiusd die. :) I'll inform the authors.
Created attachment 47273 [details] audit-report.pdf audit report so far. i'll not inform the authors now. instead we should wait until Sebastian finishes his review.
exec.c: Michael J. Hartwick <hartwick@hartwick.com> rlm_ldap.c: Kostas Kalveras <kkalev@noc.ntua.gr> rlm_sql.c: Mike Machado <mike@innercite.com>, Alan DeKok <aland@ox.org> xlat.c: Alan DeKok <aland@ox.org> sql_unixodbc.c: Dmitri Ageev <d_ageev@ortcc.ru> rlm_realm.c: Alan DeKok <aland@ox.org> session.c: Alan DeKok <aland@ox.org> log.c: Chad Miller <cmiller@surfsouth.com>, Alan DeKok <aland@ox.org>, Miquel van Smoorenburg <miquels@cistron.nl> auth.c: Jeff Carneal <jeff@apex.net>, Miquel van Smoorenburg <miquels@cistron.nl>
Created attachment 47339 [details] audit-report.pdf final
contacted the authors, some email addresses are invalid know.
Created attachment 47725 [details] audit-report.pdf more final report sent to the authors
Patches are added to the freeradius CVS. Livingston folks do not respond.
Wolfgang, 1.0.5 will be released shortly. Can we add it to SL10? Otherwise here are the relevant patches: www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/lib/token.c.diff?r1=1.17&r2=1.18} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/main/session.c.diff?r1=1.27&r2=1.28} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/main/xlat.c.diff?r1=1.101&r2=1.102} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/main/xlat.c.diff?r1=1.72.2.6&r2=1.72.2.7} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_exec/exec.c.diff?r1=1.1&r2=1.2} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_exec/exec.c.diff?r1=1.2&r2=1.3} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c.diff?r1=1.153&r2=1.154} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_ldap/rlm_ldap.c.diff?r1=1.122.2.6&r2=1.122.2.7} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/sql_unixodbc.c.diff?r1=1.13&r2=1.14} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/sql_unixodbc.c.diff?r1=1.11.2.1&r2=1.11.2.2} www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/sql_unixodbc.c.diff?r1=1.14&r2=1.1
Created attachment 48121 [details] audit-report.pdf report after authors response not all bugs are exploitable.
Fixing it in STABLE only is ok.
submitted to STABLE. @security: Please close if it fixed for you.
Ok, Livingston does not respond... but it doesn't matter b/c is was just a quick check and no code review. Should we drop radiusd-livingston?
will close this
CVE-2005-4744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4744 Off-by-one error in the sql_error function in sql_unixodbc.c in FreeRADIUS 1.0.2.5-5, and possibly other versions including 1.0.4, might allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the external database query to fail. NOTE: this single issue is part of a larger-scale disclosure, originally by SUSE, which reported multiple issues that were disputed by FreeRADIUS. Disputed issues included file descriptor leaks, memory disclosure, LDAP injection, and other issues. Without additional information, the most recent FreeRADIUS report is being regarded as the authoritative source for this CVE identifier.
CVE-2005-4744: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)