what you don't know can hurt you

FreeRADIUS 2.1.12 Remote Code Execution

FreeRADIUS 2.1.12 Remote Code Execution
Posted Sep 10, 2012
Authored by Timo Warns | Site pre-cert.de

PRE-CERT Security Advisory - A stack overflow vulnerability has been identified in FreeRADIUS that allows to remotely execute arbitrary code via specially crafted client certificates (before authentication). The vulnerability affects setups using TLS-based EAP methods (including EAP-TLS, EAP-TTLS, and PEAP).

tags | advisory, overflow, arbitrary
advisories | CVE-2012-3547
MD5 | fb0a9c0a3a011f11ef69b4e23be84eea

FreeRADIUS 2.1.12 Remote Code Execution

Change Mirror Download
PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2012-06
* Released on: 10 September 2012
* Affected product: FreeRADIUS 2.1.10 - 2.1.12
* Impact: remote code execution
* Origin: specially crafted client certificates
* CVSS Base Score: 10
Impact Subscore: 10
Exploitability Subscore: 10
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-3547


Summary
-------

A stack overflow vulnerability has been identified in FreeRADIUS that allows to
remotely execute arbitrary code via specially crafted client certificates
(before authentication). The vulnerability affects setups using TLS-based EAP
methods (including EAP-TLS, EAP-TTLS, and PEAP).

FreeRADIUS defines a callback function cbtls_verify() for certificate
verification. The function has a local buf array with a size of 64
bytes. It copies the validity timestamp "not after" of a client
certificate to the buf array:

asn_time = X509_get_notAfter(client_cert);
if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
memcpy(buf, (char*) asn_time->data, asn_time->length);
buf[asn_time->length] = '\0';

The MAX_STRING_LEN constant is defined to be 254. If asn_time->length is
greater than 64 bytes, but less than 254 bytes, buf overflows via the memcpy.

Depending on the stack layout chosen by the compiler, the vulnerability allows
to overflow the return address on the stack, which can be exploited for code
execution.


Solution
--------

The issue has been fixed in FreeRADIUS 2.2.0. Updates should be installed as
soon as possible.


References
----------

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt


Contact
--------

PRE-CERT can be reached under precert@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    1 Files
  • 17
    Nov 17th
    3 Files
  • 18
    Nov 18th
    22 Files
  • 19
    Nov 19th
    17 Files
  • 20
    Nov 20th
    15 Files
  • 21
    Nov 21st
    16 Files
  • 22
    Nov 22nd
    2 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close