jschachterPSNW.COM

• Next message: Theodor Ragnar Gislason: "Solaris 7 x86 lp exploit"
• Previous message: Przemyslaw Frasunek: "mtr-0.41 root exploit"
• Next in thread: Alan DeKok: "Re: Buffer Overflow in version .14"
• Reply: Alan DeKok: "Re: Buffer Overflow in version .14"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IC Radius version .14, and possibly earlier versions, contain a buffer
overflow that occurs when trying to authenticate with a valid username
longer than 24 characters.

The culprit is in mysql.c, in the function sql_getvpdata. This function is
normally run 4 times during authentication. The second time it is run, in
the PW_VP_GROUPDATA section, several sprintf's are used to build the group
query. The string which it all ends up in, querystr, is statically
allocated 256 bytes. Under normal circumstances, this is ok, but the
variable is right at its limits using the default setup. It might be
different depending on how you have your table names and group names
setup. However, it doesn't take much to overflow it.

On my system, once it started to overflow, it began to overwrite the
username pointer. Results may vary. To fix it, I just increased the size
allocated to querystr to 512 bytes. However, in future versions of the
code, it'd be cool to have some bounds checking, and more use of snprintf
so the server doesn't segfault.

_.,+=~`^"-.,_.,+=~`^"-*.,_.,+=~'`^"-.,_.,+=~`^"-.,_.,+=~`^"-.,_.,+=~`^"-.,
  Jesse Schachter .,. Systems Administrator
  The Protosource Network .,. Main Number: (888) 643-8558
  <JSchachterPSNW.COM> .,. Fax: (559) 490-8630
_.,+=~`^"-.,_.,+=~`^"-.,_.,+=~`^"-.,_.,+*=~`^"-.,_.,+=%~`^"-.,_.,+=~`^"-.,

• Next message: Theodor Ragnar Gislason: "Solaris 7 x86 lp exploit"
• Previous message: Przemyslaw Frasunek: "mtr-0.41 root exploit"
• Next in thread: Alan DeKok: "Re: Buffer Overflow in version .14"
• Reply: Alan DeKok: "Re: Buffer Overflow in version .14"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]