what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cisco-acs.txt

cisco-acs.txt
Posted Sep 3, 2008
Authored by Laurent Butti, Gabriel Campana

Cisco Secure ACS does not correctly parse the length of EAP-Response packets which allows remote attackers to cause a denial of service and possibly execute arbitrary code. A remote attacker (acting as a RADIUS client) could send a specially crafted EAP Response packet against a Cisco Secure ACS server in such a way as to cause the CSRadius service to crash (reliable). This bug may be triggered if the length field of an EAP-Response packet has a certain big value, greater than the real packet length.

tags | advisory, remote, denial of service, arbitrary
systems | cisco
advisories | CVE-2008-2441
SHA-256 | 319147cb46911ef704c63fc39bf9d0a5a41748f5c8eed7579cf3a521ef71ba93

cisco-acs.txt

Change Mirror Download
Title:
------
* Cisco Secure ACS does not correctly parse the length of EAP-Response
packets which allows remote attackers to cause a denial of service and
possibly execute arbitrary code

Summary:
--------
* A remote attacker (acting as a RADIUS client) could send a specially
crafted EAP Response packet against a Cisco Secure ACS server in such a
way as to cause the CSRadius service to crash (reliable). This bug may
be triggered if the length field of an EAP-Response packet has a certain
big value, greater than the real packet length. Any EAP-Response can
trigger this bug: EAP-Response/Identity, EAP-Response/MD5,
EAP-Response/TLS...

Affected Products:
------------------
* All versions of Cisco Secure ACS that support EAP, to be more precise,
check the Cisco Advisory cisco-sr-20080903-csacs

Assigned CVE:
-------------
* CVE-2008-2441

Details:
--------
* An EAP packet is as follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Identity...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

* For example, the following packet will trigger the vulnerability and
crash CSRadius.exe:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2 | 0 | 0xdddd |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 | abcd
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Attack Impact:
--------------
* Denial-of-service and possibly remote arbitrary code execution

Attack Vector:
--------------
* Have access as a RADIUS client (knowing or guessing the RADIUS shared
secret) or from an unauthenticated wireless device if the access point
relays malformed EAP frames

Timeline:
---------
* 2008-05-05 - Vulnerability reported to Cisco
* 2008-05-05 - Cisco acknowledged the notification
* 2008-05-05 - PoC sent to Cisco
* 2008-05-13 - Cisco confirmed the issue
* 2008-09-03 - Coordinated public release of advisory

Credits:
--------
* This vulnerability was discovered by Gabriel Campana and Laurent Butti
from France Telecom / Orange
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    0 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close