oss-sec mailing list archives

CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities

From: Hamid Zamani <me () hamidx9 ir>
Date: Fri, 19 Jul 2013 05:22:52 +0430

Hello, 

Software name : YardRadius 
Version : 1.1.2-4

Several Format String Vulnerabilites was found in latest YardRadius .

Description : 



src/log.c :



void 

log_msg(int priority,char *fmt, va_list args)

{

...

        char buffer[1024];

...

        vfprintf(msgfd, fmt, args);

...

       vsnprintf(buffer,1024,fmt, args);

#if defined(HAVE_SYSLOG)

       syslog(priority, buffer); //! if buff filled by "%x" so an attacker can see the addresses and ...

...

       vsyslog(priority, fmt, args); 

...

}






############



src/version.c :



#define  STRVER "%s : YARD Radius Server %s ... $ "





void 

version(void)

{

       char buffer[1024];



       build_version(buffer,sizeof(buffer));

       fprintf(stderr, buffer);

       exit(-1);

}



...



void 

build_version(char *bp,size_t sizeofbp)

{

       snprintf(bp,sizeofbp-1,STRVER, progname, VERSION);

..



$ ln -s radiusd %x

$ ./%x -v

./b77c0ff4 : YARD Radius Server 1.1 ...



So an attacker may control the memory and execute arbitrary codes.


Debian bug report : 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714612

CXSecurity.com :
http://cxsecurity.com/issue/WLB-2013070028


Please assign a CVE number.

Thank you,
Hamid Zamani

Current thread:

CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities Hamid Zamani (Jul 18)
- Re: CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities Kurt Seifried (Jul 18)