I. BACKGROUNDRadius is a server for remote user authentication and accounting. More information about Radius is available at
http://www.gnu.org/software/radius/radius.html.
II. DESCRIPTIONRemote exploitation of a denial of service condition within GNU Radius can allow an attacker to crash the service. The problem specifically exists within the rad_print_request() routine defined in lib/logger.c. A snippet of this is shown here:
...
[0] stat_pair = avl_find(req->request, DA_ACCT_STATUS_TYPE);
if (stat_pair) {
[1] VALUE_PAIR *sid_pair = avl_find(req->request,
DA_ACCT_SESSION_ID);
[2] DICT_VALUE *dval = value_lookup(stat_pair->avp_lvalue,
"Acct-Status-Type");
char nbuf[64], *stat;
[3] if (dval)
stat = dval->name;
else {
[4] snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
stat = sbuf;
...
The denial of service condition is triggered upon the receipt of a single UDP packet that contains the attribute Acct-Status-Type. On line [0] within rad_print_request() the Acct-Status-Type attribute is accessed. On line [1] the Acct-Session-Id attribute is accessed. On line [2] the local pointer dval is set to point to the Acct-Status-Type attribute value. Because no value was specified for this attribute, dval is equal to NULL. The if-clause on line [3] fails causing line [4] to be executed. At this point due to the fact that there is no Acct-Session-Id attribute, sid_par is equal to NULL. This thereby makes the reference illegal and causes the application to crash.
The following sample output demonstrates the crash of radiusd upon receipt of the specially crafted packet:
[root@vmlinux radiusd]# gdb radiusd `pidof radiusd`
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
...
[removed for sake of brevity]
...
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
rad_print_request (req=0x8085790, outbuf=0xbffff510 "húÿ¿", size=1031) at logger.c:102
102 snprintf(nbuf, sizeof nbuf, "%ld", sid_pair->avp_lvalue);
III. ANALYSISSuccessful exploitation allows unauthenticated remote attackers to cause the radius daemon (radiusd) to crash. This thereby prevents legitimate users from accessing systems reliant upon the affected radius server for authentication.
iDEFENSE has proof of concept exploit code demonstrating the impact of this vulnerability.
IV. DETECTIONiDEFENSE has confirmed the existence of this vulnerability in GNU Radius version 1.1.
V. RECOVERYThe Radius daemon (radiusd) must be restarted in order to resume normal operation.
VI. VENDOR FIXGNU Radius 1.2 fixes the problem by removing the vulnerable function, says Sergey Poznyakoff of the GNU Radius Project.
VII. CVE INFORMATIONA Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE
| December 8, 2003 |
|
Vulnerability acquired by iDEFENSE |
| January 29, 2004 |
|
Initial vendor notification sent |
| January 29, 2004 |
|
iDEFENSE clients notified |
| February 2, 2004 |
|
Response received from Sergey Poznyakoff of GNU Radius Project |
| February 2, 2004 |
|
Public disclosure on the bug-gnu-radius@gnu.org mailing list |
