##################### In the name of G0D ##################### ############################################################## # Title : Multiple Format String Vulnerabilities # Discovered by: Ashiyane Digital Security Team # App Name : yardradius # Version : 1.1.2-4 # Date : 2013/06/30 # Affected OSs: Debian and other Distors # Software Link : http://sourceforge.net/p/yardradius/ ############################################################## Description : Yet Another Radius Daemon (i.e. YARD RADIUS) is a free RADIUS RFC compliant daemon for accounting and authorization ... Several Format String vulnerabilities was found in the latest `yardradius` version as explained further below : src/log.c : void log_msg(int priority,char *fmt, va_list args) { ... char buffer[1024]; // ! ... vfprintf(msgfd, fmt, args); // ! ... vsnprintf(buffer,1024,fmt, args); //! #if defined(HAVE_SYSLOG) syslog(priority, buffer); //! ... vsyslog(priority, fmt, args); // ! ... } So an attacker can fill fmt by for ex. "%x" and see the addresses and use them to execute arbitrary codes... ############ src/version.c : #define STRVER "%s : YARD Radius Server %s ... $ " void version(void) { char buffer[1024]; build_version(buffer,sizeof(buffer)); fprintf(stderr, buffer); exit(-1); } ... void build_version(char *bp,size_t sizeofbp) { snprintf(bp,sizeofbp-1,STRVER, progname, VERSION); .. $ ln -s radiusd %x $ ./%x -v ./b77c0ff4 : YARD Radius Server 1.1 ... So an attacker may control the memory and execute arbitrary codes. ############################################################## These bugs have already reported to the developer and will be fixed in next version. ############################################################## ### By Hamid Zamani (aka HAMIDx9) ##############################################################