Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] GNU Radius Format String

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] GNU Radius Format String
Date: 27 Nov 2006 12:34:55 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  GNU Radius Format String
------------------------------------------------------------------------


SUMMARY

 <http://www.gnu.org/software/radius/> GNU Radius is a centralized user 
authentication and accounting system. It supports back-end SQL databases 
for accounting.

Remote exploitation of a format string vulnerability in GNU Radius could 
allow an attacker to execute code in the context of the running daemon.

DETAILS

Vulnerable Systems:
 * GNU Radius versions 1.3 and 1.2.

Remote exploitation of a format string vulnerability in GNU Radius could 
allow an attacker to execute code in the context of the running daemon.

The vulnerability specifically exists within the SQL accounting code. A 
format string is built using user supplied data and then unsafely passed 
to the variable argument function 'sqllog'.

Successful exploitation allows unauthenticated remote attackers to execute 
arbitrary code in the context of the running radius daemon (radiusd). 
Typically the radius daemon will run as root.

Exploitation requires that radiusd be compiled with an SQL back-end and 
SQL accounting be turned on. These options are both turned on by default 
for FreeBSD and Gentoo Linux.

Workaround:
Using one of the other supported accounting methods will mitigate 
exploitation of this vulnerability while still allowing accounting to take 
place.

Vendor Status:
The GNU Radius team included a fix for this vulnerability in version 1.4.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006> CVE-2006

Disclosure Timeline:
 * 08/16/2006 - Initial vendor notification
 * 09/08/2006 - Initial vendor response
 * 11/06/2006 - Second vendor notification
 * 11/26/2006 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
 
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=443> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=443



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] GNU Radius Format String, SecuriTeam <=
Previous by Date:  [UNIX] IBM Lotus Notes Information Disclosure (Port 1352), SecuriTeam
Next by Date:  [UNIX] Dovecot IMAP/POP3 Server Buffer Overflow, SecuriTeam
Previous by Thread:  [UNIX] IBM Lotus Notes Information Disclosure (Port 1352), SecuriTeam
Next by Thread:  [UNIX] Dovecot IMAP/POP3 Server Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]