oss-sec mailing list archives
Re: CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 19 Jul 2013 00:22:31 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/18/2013 06:52 PM, Hamid Zamani wrote:
Hello, Software name : YardRadius Version : 1.1.2-4 Several Format String Vulnerabilites was found in latest YardRadius . Description : src/log.c : void log_msg(int priority,char *fmt, va_list args) { ... char buffer[1024]; ... vfprintf(msgfd, fmt, args); ... vsnprintf(buffer,1024,fmt, args); #if defined(HAVE_SYSLOG) syslog(priority, buffer); //! if buff filled by "%x" so an attacker can see the addresses and ... ... vsyslog(priority, fmt, args); ... } ############ src/version.c : #define STRVER "%s : YARD Radius Server %s ... $ " void version(void) { char buffer[1024]; build_version(buffer,sizeof(buffer)); fprintf(stderr, buffer); exit(-1); } ... void build_version(char *bp,size_t sizeofbp) { snprintf(bp,sizeofbp-1,STRVER, progname, VERSION); .. $ ln -s radiusd %x $ ./%x -v ./b77c0ff4 : YARD Radius Server 1.1 ... So an attacker may control the memory and execute arbitrary codes. Debian bug report : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714612 CXSecurity.com : http://cxsecurity.com/issue/WLB-2013070028 Please assign a CVE number. Thank you, Hamid Zamani
Please use CVE-2013-4147 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR6NsnAAoJEBYNRVNeJnmTbngQAMuOzgrhySXyiDUopLXrAby1 yZ3OhUcLyraU1NJFdhNRXSLqZL9XIdsPhgpQrzzntKyrNc30UbnCXbwENIigT6pL NjycD1gErK49nzy2iDOm1o5dB3GfCPHQPKmRKbvNbHiEq4nZbBlEBswOBPoY2wX+ ArBgGuuVrLSIJX6KCfUbpMqqjlc5S5TkLQeGRYvioR1VOIo4JSw0Ur1mM9A3LRqq dkwsjt8RtlrJAFlYpGuW2BKR14l0cyrXC8Vwp+kpohDkMbwl8HS7WTrZjxA5bpec 1umxlBflWtTQqtUzKQFUu8T23R7IyNLYQd3n4bpKFN3xRiBv+Wbfhmixkl7YmoE6 qBtFlM4U/a7tNrmQokB/Ymq6umLid1VhzWvH+em1FmJqUvJn5gjvm9O2nTEAFzLV 5xzVXfTsEKaGEYtk5/+4BJzY1l5PQb9mY/4hawYzZ9qf1GyjgNGfWco32UpMEr8v GDBI0b4aF4yD75RkRO/ZHAIwhewNTmkYeMIsj2TpeZhBPxWxt4Fym1btvLCct/fW r19InNLe0pyeE7aVe3Ig9Qt4vq7K2oMwH9zvfdEN0xZYGEtRf2b8TaVTOwJhAjy8 dE6xF0KvLLgDAHAiI7ZVp13wfVUuZ9Pa12Tb9Ype94HIUj89smlj6cteIKarrM3B PXxw8gsgxAYD0SHJJYD4 =bORy -----END PGP SIGNATURE-----
Current thread:
- CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities Hamid Zamani (Jul 18)
- Re: CVE Request : Radius Daemon (YardRadius v1.1.2-4 ) Multiple Format String Vulnerabilities Kurt Seifried (Jul 18)