CVE-2003-0450
CVSS7.5
发布时间 :2003-08-07 00:00:00
修订时间 :2008-09-10 15:19:02
NMCOS    

[原文]Cistron RADIUS daemon (radiusd-cistron) 1.6.6 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large value in an NAS-Port attribute, which is interpreted as a negative number and causes a buffer overflow.


[CNNVD]Cistron RADIUS远程有符号NAS-PORT值导致内存破坏漏洞(CNNVD-200308-027)

        
        radiusd-cistron是一款RADIUS协议实现。
        Cistron-RADIUS服务器没有正确处理超大NAS号,远程攻击者可以利用这个漏洞破坏服务进程内存信息,可能以进程权限在系统上执行任意指令。
        Cistron RADIUS当处理用户提供的数据时在调用sprintf()函数时没有正确使用"%d"格式符,攻击者如果传送一个有符号值作为NAS-Port端口数据,就可以导致覆盖服务器进程的内部内存数据,精心构建提交数据可能以RADIUS进程权限(一般是root)在系统上执行任意指令。
        有漏洞代码如下:
        acct.c:
        static void make_wtmp(struct radutmp *ut, struct utmp *wt, int status)
        {
         char buf[32];
        [...]
        #if UT_LINESIZE > 9
         sprintf(buf, "%03d:%.20s", ut->nas_port, s);
        #else
         sprintf(buf, "%02d%.20s", ut->nas_port, s);
        #endif
        在Linux上, UT_LINESIZE > 9.
        如果ut->nas_port > 2^31,那么%03d就可会扩展成一个负数,因此为11个字符,加上冒号和20个字符,最后追加NULL值,就会扩展为33个字符,造成单字节溢出。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0450
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0450
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-027
(官方数据源) CNNVD

- 其它链接及资源

http://www.turbolinux.com/security/TLSA-2003-40.txt
(VENDOR_ADVISORY)  TURBO  TLSA-2003-40
http://www.debian.org/security/2003/dsa-321
(VENDOR_ADVISORY)  DEBIAN  DSA-321
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196063
(VENDOR_ADVISORY)  MISC  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196063
http://www.novell.com/linux/security/advisories/2003_030_radiusd_cistron.html
(UNKNOWN)  SUSE  SuSE-SA:2003:030
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000664
(UNKNOWN)  CONECTIVA  CLA-2003:664

- 漏洞信息

Cistron RADIUS远程有符号NAS-PORT值导致内存破坏漏洞
高危 设计错误
2003-08-07 00:00:00 2005-10-20 00:00:00
远程  
        
        radiusd-cistron是一款RADIUS协议实现。
        Cistron-RADIUS服务器没有正确处理超大NAS号,远程攻击者可以利用这个漏洞破坏服务进程内存信息,可能以进程权限在系统上执行任意指令。
        Cistron RADIUS当处理用户提供的数据时在调用sprintf()函数时没有正确使用"%d"格式符,攻击者如果传送一个有符号值作为NAS-Port端口数据,就可以导致覆盖服务器进程的内部内存数据,精心构建提交数据可能以RADIUS进程权限(一般是root)在系统上执行任意指令。
        有漏洞代码如下:
        acct.c:
        static void make_wtmp(struct radutmp *ut, struct utmp *wt, int status)
        {
         char buf[32];
        [...]
        #if UT_LINESIZE > 9
         sprintf(buf, "%03d:%.20s", ut->nas_port, s);
        #else
         sprintf(buf, "%02d%.20s", ut->nas_port, s);
        #endif
        在Linux上, UT_LINESIZE > 9.
        如果ut->nas_port > 2^31,那么%03d就可会扩展成一个负数,因此为11个字符,加上冒号和20个字符,最后追加NULL值,就会扩展为33个字符,造成单字节溢出。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-321

        S.u.S.E.
        --------
        S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2003:030)以及相应补丁:
        SuSE-SA:2003:030:radiusd-cistron
        链接:
        补丁下载:
         Intel i386 Platform:
         SuSE-8.0:
         ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/radiusd-cistron-1.6.6-88.i386.rpm
         e61fb299edfb092f24b3e455256cf262
         patch rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/radiusd-cistron-1.6.6-88.i386.patch.rpm
         d323307d4bc4c0e4dc0bcef3f848b91f
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/radiusd-cistron-1.6.6-88.src.rpm
         fc7718319972625612292798092d9a8b
         SuSE-7.3:
         ftp://ftp.suse.com/pub/suse/i386/update/7.3/n3/radiusd-cistron-1.6.4-182.i386.rpm
         ee949e18ef02e87dffc4b5ea8d5d5ec5
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/radiusd-cistron-1.6.4-182.src.rpm
         f4f87aab549967c0d4c216c8d2e312a1
         SuSE-7.2:
         ftp://ftp.suse.com/pub/suse/i386/update/7.2/n3/radiusd-cistron-1.6.4-182.i386.rpm
         e5a20985f79c887739ce0b83539c347b
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/radiusd-cistron-1.6.4-182.src.rpm
         f5f73b9e9c3e5d338bfddd1a6b2b14d8
         Sparc Platform:
         SuSE-7.3:
         ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n3/radiusd-cistron-1.6.4-70.sparc.rpm
         7318cc63ec3c29618b81ae6c8eb29fc8
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/radiusd-cistron-1.6.4-70.src.rpm
         0212fba5fd8d4ff3e9afe4a8a8802655
         PPC Power PC Platform:
         SuSE-7.3:
         ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n3/radiusd-cistron-1.6.4-108.ppc.rpm
         30f9920f2a8d2db0e8eb2a0439d61118
         source rpm(s):
         ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/radiusd-cistron-1.6.4-108.src.rpm
         8133911f08442832c383000cb65e70ca

- 漏洞信息

2219
Cistron RADIUS radiusd-cistron Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : radiusd-cistron SUMMARY : Buffer overflow vulnerability DATE : 2003-06-27 12:07:00 ID : CLA-2003:664 RELEVANT RELEASES : 7.0, 8, 9 - ------------------------------------------------------------------------- DESCRIPTION Cistron RADIUS is an authentication and accounting system for terminal servers that speak the RADIUS (Remote Authentication Dial In User Service) protocol. David Luyer reported[1] a buffer overflow vulnerability in radiusd-cistron versions <= 1.6.6 that could allow remote attackers to cause a denial of service (DoS) and possibly execute arbitrary code in the server context. The vulnerability resides in the handling of the NAS-Port attribute, which can be interpreted as a negative number, causing a buffer overflow. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0450 to this issue[2]. This update fixes the problem using a patched version of radiusd-cistron 1.6.6. SOLUTION All radius-cistron users should upgrade. This update will automatically restart the service if it is already running. REFERENCES: 1.http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196063 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0450 3.http://distro2.conectiva.com.br/bugzilla/show_bug.cgi?id=8690 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/radiusd-cistron-1.6.6-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/radiusd-cistron-1.6.6-1U70_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/radiusd-cistron-1.6.6-5U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/radiusd-cistron-1.6.6-5U80_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/radiusd-cistron-1.6.6-13419U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/radiusd-cistron-1.6.6-13419U90_1cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+/F+U42jd0JmAcZARAlFOAKCNzmMAbFhslc6gMnlvB9s005oTxQCeMYGA uM/HQtms2TwWXp2kLE+ItqA= =zydz -----END PGP SIGNATURE-----

- 时间线

2003-06-27 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cistron RADIUS Remote Signed NAS-Port Number Expansion Memory Corruption Vulnerability
Design Error 7892
Yes No
2003-06-13 12:00:00 2009-07-11 10:06:00
The discovery of this vulnerability has been credited to "David Luyer" <david_luyer@pacific.net.au>.

- 受影响的程序版本

Miquel van Smoorenburg Cistron Radius 1.6.6
+ Conectiva Linux 9.0
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
+ S.u.S.E. Linux 8.0
Miquel van Smoorenburg Cistron Radius 1.6.5
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1.1
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
Miquel van Smoorenburg Cistron Radius 1.6.4
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha

- 漏洞讨论

A remote vulnerability has been discovered in Cistron RADIUS. The problem occurs due to a design error when processing user-supplied data. As a result, an attacker may transmit a signed value which when interperted could cause memory corruption.

The vulnerability occurs due to the incorrect usage of the '%d' format specifier when calling the sprintf() function.

A remote attacker could potentially exploit this issue to seize control of the RADIUS server's execution flow. If successful, this could be leveraged to execute arbitrary code with the privileges of the user invoking the process.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Conectiva has released a security advisory (CLA-2003:664) containing fixes to address this issue. Users are advised to upgrade as soon as possible. Fixes are listed below.

SuSE has released a security advisory (SuSE-SA:2003:030) containing fixes to address this issue. Users are advised to upgrade as soon as possible. Further information regarding how to obtain and apply fixes can be found in the attached advisory.

Cistron RADIUS 1.6.7 is currently under development and will address this issue.

Debian has released advisory DSA 321-1 with fixes to address this issue. See referenced advisory for additional information.

Gentoo has released fixes to address this issue. The associated advisory contains the following information:

It is recommended that all Gentoo Linux users who are running
net-dialup/cistronradius upgrade to cistronradius-1.6.6-r1 as follows

emerge sync
emerge cistronradius
emerge clean


Miquel van Smoorenburg Cistron Radius 1.6.4

Miquel van Smoorenburg Cistron Radius 1.6.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站