Bugzilla – Bug 84235
VUL-0: CVE-2005-1455: freeradius buffer overflow
Last modified: 2021-11-08 12:39:46 UTC
We received the following report via bugtraq. The issue is public. Do you know whether this was discussed upstream? It somehow looks like Gentoo only atm. Date: Tue, 17 May 2005 16:27:26 +0200 From: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org> To: gentoo-announce@gentoo.org Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com Subject: [ GLSA 200505-13 ] FreeRADIUS: Buffer overflow and SQL injection vulnerability - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200505-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: FreeRADIUS: Buffer overflow and SQL injection vulnerability Date: May 17, 2005 Bugs: #91736 ID: 200505-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The FreeRADIUS server is vulnerable to a buffer overflow and an SQL injection attack, possibly allowing the compromise of the system. Background ========== FreeRADIUS is an open source RADIUS authentication server implementation. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-dialup/freeradius < 1.0.2-r3 >= 1.0.2-r3 Description =========== Primoz Bratanic discovered that the sql_escape_func function of FreeRADIUS may be vulnerable to a buffer overflow (BID 13541). He also discovered that FreeRADIUS fails to sanitize user-input before using it in a SQL query, possibly allowing SQL command injection (BID 13540). Impact ====== By supplying carefully crafted input, a malicious user could cause a buffer overflow or an SQL injection, possibly leading to the execution of arbitrary code or disclosure and the modification of sensitive data. Workaround ========== There are no known workarounds at this time. Resolution ========== All FreeRADIUS users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dialup/freeradius-1.0.2-r3" References ========== [ 1 ] BugTraq ID 13540 http://www.securityfocus.com/bid/13540/ [ 2 ] BugTraq ID 13541 http://www.securityfocus.com/bid/13541/ Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200505-13.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0
Haven't heared about it until now. I will investigate.
this is the answer of the upstream maintainer to my question: > yesterday there was a security advisory from Gentoo about FreeRADIUS > 1.0.2 on bugtraq. > http://www.securityfocus.com/bid/13540/ > http://www.securityfocus.com/bid/13541/ > > As I didn't heared about it before, a few questions. > > Are you aware of that? I hope so. And what are the details about these > problems? I heard rumors, but the originator did not contact security@freeradius.org The details are: 1) non-ASCII characters are printed as \ddd, but the buffer length check is incorrect, so the digits can over-run the buffer. This may crash the server, but I have a hard time seeing how it's exploitable. 2) In some cases, the data being used in SQL queries wasn't being properly sanitized, which could allow SQL injection attacks, for the following situations: a) The user was doing dynamic SELECT's via %{sql:data...} b) group comparisons via "SQL-Group == foo" c) Simultaneous-Use checking was done via SQL We will be issuing 1.0.3 soon. Alan DeKok.
Gentoo... Anyways, I'll post that to vendor-sec. Thanks for clarification!
Date: Thu, 19 May 2005 11:38:43 +0200 From: Thierry Carrez <koon@gentoo.org> To: vendor-sec@lst.de Subject: Re: [vendor-sec] freeradius buffer overflow & SQL injection User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050325) Ludwig Nussel wrote: > There was a security advisory from Gentoo about FreeRADIUS 1.0.2 on bugtraq. > http://www.securityfocus.com/bid/13540/ > http://www.securityfocus.com/bid/13541/ In fact we aren't the origin of this, we just reacted to the BID creation on May 6... I suppose it was originally created from : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307720 (created May 4) Our bugzilla entry is at: https://bugs.gentoo.org/show_bug.cgi?id=91736 (created May 6) We mistakenly thought upstream was in the loop on the Debian bug and released without doublechecking... Note that the patch we applied introduces new problems and we should release new packages (ans an updated GLSA) soon. -- Thierry Carrez Gentoo Linux Security
According to the debian bug this is the patch: http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/src/modules/rlm_sql/rlm_sql.c.diff?r1=1.131.2.1&r2=1.131.2.3 CAN-2005-1454 for the overflow. CAN-2005-1455 for the SQL injection
I will apply this patch to the packages.
status: I have fixed packages ready for all versions but SLES8. The freeradius version there doesn't have any SQL-escape filter at all IMHO. What to do?
is is possible to extract the code used on newer versions?
I will try this and if I fail, I will reassign this bug to security-team.
all packages were submitted to autobuild. Please provide patchinfos and SWAMPs as you like ;-)
SM-Tracker-1400
/work/src/done/PATCHINFO/freeradius.patch.box /work/src/done/PATCHINFO/freeradius.patch.maintained
updates released.
CVE-2005-1455: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)