##################### In the name of G0D #####################
##############################################################
# Title : Multiple Format String Vulnerabilities
# Discovered by: Ashiyane Digital Security Team
# App Name : yardradius
# Version : 1.1.2-4
# Date : 2013/06/30
# Affected OSs: Debian and other Distors
# Software Link : http://sourceforge.net/p/yardradius/
##############################################################
Description :
Yet Another Radius Daemon (i.e. YARD RADIUS) is a free RADIUS RFC compliant daemon for
accounting and authorization ...
Several Format String vulnerabilities was found in the latest `yardradius` version as
explained further below :
src/log.c :
void
log_msg(int priority,char *fmt, va_list args)
{
...
char buffer[1024]; // !
...
vfprintf(msgfd, fmt, args); // !
...
vsnprintf(buffer,1024,fmt, args); //!
#if defined(HAVE_SYSLOG)
syslog(priority, buffer); //!
...
vsyslog(priority, fmt, args); // !
...
}
So an attacker can fill fmt by for ex. "%x" and see the addresses and use them to execute arbitrary codes...
############
src/version.c :
#define STRVER "%s : YARD Radius Server %s ... $ "
void
version(void)
{
char buffer[1024];
build_version(buffer,sizeof(buffer));
fprintf(stderr, buffer);
exit(-1);
}
...
void
build_version(char *bp,size_t sizeofbp)
{
snprintf(bp,sizeofbp-1,STRVER, progname, VERSION);
..
$ ln -s radiusd %x
$ ./%x -v
./b77c0ff4 : YARD Radius Server 1.1 ...
So an attacker may control the memory and execute arbitrary codes.
##############################################################
These bugs have already reported to the developer and will be fixed in next version.
##############################################################
### By Hamid Zamani (aka HAMIDx9)
##############################################################