信息来源:
www.securiteam.com
Summary
Mod_auth_radius is "RADIUS authentication module for Apache. It allows any Apache web-server to become a RADIUS client for authentication, authorization and accounting requests. You will, however, need to supply your own RADIUS server to perform the actual authentication".
An integer overflow exists in mod_auth_radious that can be exploited by a remote attacker which can then be leveraged to cause mod_auth_radius to execute arbitrary code.
Credit:
The original article can be found at:
http://security.lss.hr/en/index. ... p;ID=LSS-2005-01-02
The information has been provided by LSS Security.
Details
Vulnerable Systems:
* mod_auth_radius version 1.5.4 (1.5.7) and prior
When mod_auth_radius authenticates users against a remote RADIUS server, it will send a RADIUS packet with RADIUS_ACCESS_REQUEST tag. The RADIUS server can respond with a RADIUS packet that includes the RADIUS_ACCESS_CHALLENGE tag.
When mod_auth_radius gets RADIUS_ACCESS_CHALLENGE, with attribute set to RADIUS_STATE, and another attribute code in same packet set to RADIUS_REPLY_MESSAGE, the RADIUS server reply will be copied to a local buffer with the function radcpy(). Size of the data that will be copied into the local buffer is taken from 'length' value of packet attribute received from the RADIUS server.
mod_auth_radius.c:
...
#define radcpy(STRING, ATTR) {memcpy(STRING, ATTR->data, ATTR->length - 2);\
(STRING)[ATTR->length - 2] = 0;}
...
Before the data is copied with memcpy() the RADIUS server's length attribute is subtracted by two. If attribute length is set to 1, subtraction it result in -1, and memcpy will lead to segfault. If an attacker can sniff out RADIUS request packets (that is vulnerability by itself), he can spoof RADIUS server replies with attribute length 1 that will segfault mod_auth_radius or even in some cases execute arbitrary code.
Exploit:
http://www.eviloctal.com/forum/read.php?tid=6909
