oss-sec mailing list archives

Re: CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 19 Jul 2013 00:22:31 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/18/2013 06:52 PM, Hamid Zamani wrote:

Hello,

Software name : YardRadius Version : 1.1.2-4

Several Format String Vulnerabilites was found in latest YardRadius
.

Description :



src/log.c :



void

log_msg(int priority,char *fmt, va_list args)

{

...

char buffer[1024];

...

vfprintf(msgfd, fmt, args);

...

vsnprintf(buffer,1024,fmt, args);

#if defined(HAVE_SYSLOG)

syslog(priority, buffer); //! if buff filled by "%x" so an attacker
can see the addresses and ...

...

vsyslog(priority, fmt, args);

...

}






############



src/version.c :



#define  STRVER "%s : YARD Radius Server %s ... $ "





void

version(void)

{

char buffer[1024];



build_version(buffer,sizeof(buffer));

fprintf(stderr, buffer);

exit(-1);

}



...



void

build_version(char *bp,size_t sizeofbp)

{

snprintf(bp,sizeofbp-1,STRVER, progname, VERSION);

..



$ ln -s radiusd %x

$ ./%x -v

./b77c0ff4 : YARD Radius Server 1.1 ...



So an attacker may control the memory and execute arbitrary codes.


Debian bug report : 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714612

CXSecurity.com : http://cxsecurity.com/issue/WLB-2013070028


Please assign a CVE number.

Thank you, Hamid Zamani


Please use CVE-2013-4147 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR6NsnAAoJEBYNRVNeJnmTbngQAMuOzgrhySXyiDUopLXrAby1
yZ3OhUcLyraU1NJFdhNRXSLqZL9XIdsPhgpQrzzntKyrNc30UbnCXbwENIigT6pL
NjycD1gErK49nzy2iDOm1o5dB3GfCPHQPKmRKbvNbHiEq4nZbBlEBswOBPoY2wX+
ArBgGuuVrLSIJX6KCfUbpMqqjlc5S5TkLQeGRYvioR1VOIo4JSw0Ur1mM9A3LRqq
dkwsjt8RtlrJAFlYpGuW2BKR14l0cyrXC8Vwp+kpohDkMbwl8HS7WTrZjxA5bpec
1umxlBflWtTQqtUzKQFUu8T23R7IyNLYQd3n4bpKFN3xRiBv+Wbfhmixkl7YmoE6
qBtFlM4U/a7tNrmQokB/Ymq6umLid1VhzWvH+em1FmJqUvJn5gjvm9O2nTEAFzLV
5xzVXfTsEKaGEYtk5/+4BJzY1l5PQb9mY/4hawYzZ9qf1GyjgNGfWco32UpMEr8v
GDBI0b4aF4yD75RkRO/ZHAIwhewNTmkYeMIsj2TpeZhBPxWxt4Fym1btvLCct/fW
r19InNLe0pyeE7aVe3Ig9Qt4vq7K2oMwH9zvfdEN0xZYGEtRf2b8TaVTOwJhAjy8
dE6xF0KvLLgDAHAiI7ZVp13wfVUuZ9Pa12Tb9Ype94HIUj89smlj6cteIKarrM3B
PXxw8gsgxAYD0SHJJYD4
=bORy
-----END PGP SIGNATURE-----

Current thread:

CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities Hamid Zamani (Jul 18)
- Re: CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities Kurt Seifried (Jul 18)