oss-sec mailing list archives
CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities
From: Hamid Zamani <me () hamidx9 ir>
Date: Fri, 19 Jul 2013 05:22:52 +0430
Hello, Software name : YardRadius Version : 1.1.2-4 Several Format String Vulnerabilites was found in latest YardRadius . Description : src/log.c : void log_msg(int priority,char *fmt, va_list args) { ... char buffer[1024]; ... vfprintf(msgfd, fmt, args); ... vsnprintf(buffer,1024,fmt, args); #if defined(HAVE_SYSLOG) syslog(priority, buffer); //! if buff filled by "%x" so an attacker can see the addresses and ... ... vsyslog(priority, fmt, args); ... } ############ src/version.c : #define STRVER "%s : YARD Radius Server %s ... $ " void version(void) { char buffer[1024]; build_version(buffer,sizeof(buffer)); fprintf(stderr, buffer); exit(-1); } ... void build_version(char *bp,size_t sizeofbp) { snprintf(bp,sizeofbp-1,STRVER, progname, VERSION); .. $ ln -s radiusd %x $ ./%x -v ./b77c0ff4 : YARD Radius Server 1.1 ... So an attacker may control the memory and execute arbitrary codes. Debian bug report : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714612 CXSecurity.com : http://cxsecurity.com/issue/WLB-2013070028 Please assign a CVE number. Thank you, Hamid Zamani
Current thread:
- CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities Hamid Zamani (Jul 18)