Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

iDEFENSE Security Advisory 09.15.04: GNU Radius SNMP String Length Integ

from [customer service mailbox] Network Security [Permanent Link]
Subject: iDEFENSE Security Advisory 09.15.04: GNU Radius SNMP String Length Integer Overflow Denial of Service Vulnerability
Date: Wed, 15 Sep 2004 16:24:46 -0400 
GNU Radius SNMP String Length Integer Overflow Denial of Service
Vulnerability

iDEFENSE Security Advisory 09.15.04
www.idefense.com/application/poi/display?id=141&type=vulnerabilities
September 15, 2004

I. BACKGROUND

Radius is used for remote user authentication and accounting.

For more information see:

   http://www.gnu.org/software/radius/radius.html

II. DESCRIPTION

Remote exploitation of an input validation error in version 1.2 of  GNU
radiusd could allow a denial of service.

The vulnerability specifically exists within the asn_decode_string()
function defined in snmplib/asn1.c. When a very large unsigned number is
supplied, it is possible that an integer overflow will occur in the
bounds-checking code. The daemon will then attempt to reference
unallocated memory, resulting in an access violation that causes the
process to terminate.

III. ANALYSIS

Successful exploitation allows unauthenticated remote attackers to cause
the radius daemon (radiusd) to crash. This thereby prevents legitimate
users from accessing systems reliant upon the affected radius server for
authentication. This vulnerability does not seem to allow for execution
of code; it is a denial of service condition only. Exploitation requires
that radiusd be compiled with the --enable-snmp option. SNMP support is
not enabled in the default compile.

IV. DETECTION

iDEFENSE has confirmed that GNU Radius 1.1 and 1.2 are vulnerable, if
configured with --enable-snmp at compile time.

V. WORKAROUND

Disable SNMP support when building radiusd at compile time. Ingress
filtering of UDP port 161 on all interfaces that should not be receiving
SNMP packets may lessen exposure to this vulnerability in affected
environments.

VI. VENDOR FIX

The issue has been addressed in maintenance release version number
1.2.94.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0849 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/10/2004   Initial vendor notification
09/10/2004   Initial vendor response
09/15/2004   Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • iDEFENSE Security Advisory 09.15.04: GNU Radius SNMP String Length Integer Overflow Denial of Service Vulnerability, customer service mailbox <=
Previous by Date:  [VulnWatch] Corsaire Security Advisory - Business Objects WebIntelligence XSS issue, advisories
Next by Date:  [Full-Disclosure] Re: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access, Chris Norton
Previous by Thread:  [VulnWatch] Corsaire Security Advisory - Business Objects WebIntelligence XSS issue, advisories
Next by Thread:  Microsoft WordPerfect 5.x Converter Heap Overflow, NGSSoftware Insight Security Research
Indexes:  [Date] [Thread] [Top] [All Lists]