COMMAND

    Radius

SYSTEMS AFFECTED

    Radius

PROBLEM

    Jesse  Schachter  found  following.   IC  Radius  version .14, and
    possibly earlier versions, contain  a buffer overflow that  occurs
    when trying to authenticate with  a valid username longer than  24
    characters.

    The culprit is  in mysql.c, in  the function sql_getvpdata.   This
    function  is  normally  run  4  times  during authentication.  The
    second time  it is  run, in  the PW_VP_GROUPDATA  section, several
    sprintf's are used to build the group query.  The string which  it
    all  ends  up  in,  querystr,  is  statically allocated 256 bytes.
    Under normal circumstances, this is ok, but the variable is  right
    at its  limits using  the default  setup.   It might  be different
    depending on how you have your table names and group names  setup.
    However, it doesn't take much to overflow it.

    On  tested  system,  once  it  started  to  overflow,  it began to
    overwrite the username pointer.  Results may vary.

    There is a similar set of bugs in the Livingston v1.16 server, and
    most of it's descendents.  It doesn't affect the user requests  or
    packets,  but  instead  the  configuration  files.   (So it is not
    remotely exploitable).

    Any user who has write  permission to the configuration files  can
    trivially  engineer  a  buffer   overflow,  to  obtain  the   full
    privelidges of the UID which  the RADIUS server is running  under,
    usually root.   However, in  a WELL  CONFIGURED system,  the  user
    running the  RADIUS server  should be  the only  one who has write
    permission to the configuration files.  So the only systems  which
    are vulnerable are ones which are misconfigured to start with.

    The problem still exists, however, and any potential security hole
    should be closed.  An edited sample of the problem code follows:

        ...
        char			secret[20];
        char			hostnm[128];
        char			buffer[256];
        ...
        fgets(buffer, sizeof(buffer), clientfd);
        ...
        sscanf(buffer, "%s%s", hostnm, secret)
        ...

    The exploit can theoretically be used in almost any configuration
    file which is read by the server, as there is little or no bounds
    checking when reading from the files.

    The  Livingston  v2.1  server  is  vulnerable,  as  is the derived
    Cistron RADIUS server,  up to v1.6.0.   Cistron RADIUS v1.6.1  and
    later are not vulnerable.  It is believed that all RADIUS  servers
    which are trivially  derived from the  Livingston 1.16 source  are
    vulnerable.  It  is believed that  most commercial RADIUS  servers
    are not vulnerable to this bug, as their source did not  originate
    with the Livingston 1.16 server.

SOLUTION

    To fix it increased the  size allocated to querystr to  512 bytes.
    However, in  future versions  of the  code, it'd  be cool  to have
    some  bounds  checking,  and  more  use  of snprintf so the server
    doesn't segfault.