Radius Daemon Multiple Format String Vulnerabilities

2013-07-03 / 2013-07-19
Risk: High
Local: Yes
Remote: No
CWE: CWE-134


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

##################### In the name of G0D ##################### ############################################################## # Title : Multiple Format String Vulnerabilities # Discovered by: Ashiyane Digital Security Team # App Name : yardradius # Version : 1.1.2-4 # Date : 2013/06/30 # Affected OSs: Debian and other Distors # Software Link : http://sourceforge.net/p/yardradius/ ############################################################## Description : Yet Another Radius Daemon (i.e. YARD RADIUS) is a free RADIUS RFC compliant daemon for accounting and authorization ... Several Format String vulnerabilities was found in the latest `yardradius` version as explained further below : src/log.c : void log_msg(int priority,char *fmt, va_list args) { ... char buffer[1024]; // ! ... vfprintf(msgfd, fmt, args); // ! ... vsnprintf(buffer,1024,fmt, args); //! #if defined(HAVE_SYSLOG) syslog(priority, buffer); //! ... vsyslog(priority, fmt, args); // ! ... } So an attacker can fill fmt by for ex. "%x" and see the addresses and use them to execute arbitrary codes... ############ src/version.c : #define STRVER "%s : YARD Radius Server %s ... $ " void version(void) { char buffer[1024]; build_version(buffer,sizeof(buffer)); fprintf(stderr, buffer); exit(-1); } ... void build_version(char *bp,size_t sizeofbp) { snprintf(bp,sizeofbp-1,STRVER, progname, VERSION); .. $ ln -s radiusd %x $ ./%x -v ./b77c0ff4 : YARD Radius Server 1.1 ... So an attacker may control the memory and execute arbitrary codes. ############################################################## These bugs have already reported to the developer and will be fixed in next version. ############################################################## ### By Hamid Zamani (aka HAMIDx9) ##############################################################

References:

http://sourceforge.net/p/yardradius/
http://seclists.org/oss-sec/2013/q3/145


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top