CVE-2004-0987
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2008-09-05 16:40:00
NMCOPS    

[原文]Buffer overflow in the process_menu function in yardradius 1.0.20 allows remote attackers to execute arbitrary code.


[CNNVD]YardRadius process_menu 缓冲区溢出漏洞(CNNVD-200501-087)

        yardradius是一款开源的radius服务端软件。
        yardradius 1.0.20版本中的process_menu函数存在缓冲区溢出漏洞。
        远程攻击者可利用此漏洞执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:yard_radius:yard_radius:1.0.18
cpe:/a:yard_radius:yard_radius:1.0_pre14
cpe:/a:yard_radius:yard_radius:1.0.17
cpe:/a:yard_radius:yard_radius:1.0.19
cpe:/a:yard_radius:yard_radius:1.0.20
cpe:/a:yard_radius:yard_radius:1.0_pre15
cpe:/a:yard_radius:yard_radius:1.0_pre13
cpe:/a:yard_radius:yard_radius:1.0.16

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0987
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0987
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-087
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/11753
(VENDOR_ADVISORY)  BID  11753
http://www.debian.org/security/2004/dsa-598
(VENDOR_ADVISORY)  DEBIAN  DSA-598
http://xforce.iss.net/xforce/xfdb/18270
(VENDOR_ADVISORY)  XF  yardradius-processmenu-bo(18270)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278384
(UNKNOWN)  MISC  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278384

- 漏洞信息

YardRadius process_menu 缓冲区溢出漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        yardradius是一款开源的radius服务端软件。
        yardradius 1.0.20版本中的process_menu函数存在缓冲区溢出漏洞。
        远程攻击者可利用此漏洞执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://sourceforge.net/projects/yardradius/files/

- 漏洞信息 (F35182)

dsa-598.txt (PacketStormID:F35182)
2004-12-11 00:00:00
 
advisory,overflow,arbitrary,root
linux,debian
CVE-2004-0987
[点击下载]

Debian Security Advisory 598-1 - Max Vozeler noticed that yardradius, the YARD radius authentication and accounting server, contained a stack overflow similar to the one from radiusd which is referenced as CVE-2001-0534. This could lead to the execution of arbitrary code as root.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 598-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
November 25th, 2004                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : yardradius
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2004-0987
Debian Bug     : 278384

Max Vozeler noticed that yardradius, the YARD radius authentication
and accounting server, contained a stack overflow similar to the one
from radiusd which is referenced as CAN-2001-0534.  This could lead to
the execution of arbitrary code as root.

For the stable distribution (woody) this problem has been fixed in
version 1.0.20-2woody1.

For the unstable distribution (sid) this problem has been fixed in
version 1.0.20-15.

We recommend that you upgrade your yardradius package immediately.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1.dsc
      Size/MD5 checksum:      630 3aa3c2019a9a5114e0f531fe808e93b3
    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1.diff.gz
      Size/MD5 checksum:     6768 f3643f6f13de7280c19e4c7df503ea11
    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20.orig.tar.gz
      Size/MD5 checksum:   399573 787b1f8784c67cab2702839db6644b9b

  Alpha architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_alpha.deb
      Size/MD5 checksum:   350220 e0274a5766e8c3d18800c06282727df1

  ARM architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_arm.deb
      Size/MD5 checksum:   301448 06828b440337022ae6b1855fbae31f82

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_i386.deb
      Size/MD5 checksum:   295412 4f56c4fdeca63b85808065b4f3e27a7f

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_ia64.deb
      Size/MD5 checksum:   370222 36703ed2eed705e8e1a3397a3d88d427

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_hppa.deb
      Size/MD5 checksum:   312196 59888ec88aa91f6cf58dda032df8a5b5

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_m68k.deb
      Size/MD5 checksum:   289912 55788e327ca665e7ab889e82b8dec833

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_mips.deb
      Size/MD5 checksum:   326438 6e7d29dd1ad61bffef233c031fe7e73c

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_mipsel.deb
      Size/MD5 checksum:   327300 4a0a6d0009d271f458d2c7b87ea1a9f2

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_powerpc.deb
      Size/MD5 checksum:   302024 69d8d6a7d65e1dbd006309420926cb94

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_s390.deb
      Size/MD5 checksum:   298984 0551ab5072e14b3eeb81e23c3a4658df

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/y/yardradius/yardradius_1.0.20-2woody1_sparc.deb
      Size/MD5 checksum:   325768 2edb916d3d3dda25e8919b32ba3e96ba


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBpeIeW5ql+IAeqTIRAscOAJ0fC7lG+G5AI+KfRRZQWRBYTRThEwCgiEed
A/9d82Y3IM+zHtYA5Pn2Oyk=
=ctuq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
    

- 漏洞信息

12139
YardRadius process_menu() Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in YardRadius. The process_menu() function contains a boundary error resulting in a stack overflow. With a specially crafted request, an attacker can cause arbitrary code execution with root privileges resulting in a loss of integrity.

- 时间线

2004-07-01 Unknow
Unknow 2004-07-01

- 解决方案

Upgrade to version 1.0.21 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Yard Radius Remote Buffer Overflow Vulnerability
Boundary Condition Error 11753
Yes No
2004-11-25 12:00:00 2009-07-12 08:06:00
Discovery is credited to Max Vozeler.

- 受影响的程序版本

Yard RADIUS Yard RADIUS 1.0.20
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Yard RADIUS Yard RADIUS 1.0.19
Yard RADIUS Yard RADIUS 1.0.18
Yard RADIUS Yard RADIUS 1.0.17
Yard RADIUS Yard RADIUS 1.0.16
Yard RADIUS Yard RADIUS 1.0 pre15
Yard RADIUS Yard RADIUS 1.0 pre14
Yard RADIUS Yard RADIUS 1.0 pre13
Yard RADIUS Yard RADIUS 1.0.21

- 不受影响的程序版本

Yard RADIUS Yard RADIUS 1.0.21

- 漏洞讨论

Yard Radius is prone to a remotely exploitable stack-based buffer overflow. This issue could reportedly be exploited prior to authentication. Successful exploitation may result in execution of arbitrary code in the context of the server, which may be running as the superuser.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Debian has released advisory DSA 598-1 to address this issue. Please refer to the attached advisory for details on applying and obtaining fixes.

This issue is addressed in Yard Radius 1.0.21.


Yard RADIUS Yard RADIUS 1.0 pre14

Yard RADIUS Yard RADIUS 1.0 pre13

Yard RADIUS Yard RADIUS 1.0 pre15

Yard RADIUS Yard RADIUS 1.0.16

Yard RADIUS Yard RADIUS 1.0.17

Yard RADIUS Yard RADIUS 1.0.18

Yard RADIUS Yard RADIUS 1.0.19

Yard RADIUS Yard RADIUS 1.0.20

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站