Kevin Kadow <kadokev@ripco.com> wrote:
:) I assume everybody is aware of the _NEW_ buffer overflow security hole
:) in radiusd? Last week's just invoked a memory leak to enventually crash
:) the server, this one is a full-fledged root hole.
:) Although RDIST suggests running 'radiusd' chroot, chroot is not a
:) panecaea for security holes that yield root. Ideally the program would
:) bind the radius and radacct ports, chroot, then run setuid as a unique,
:) unprivileged user (like some HTTPDs), preferably a user that isn't
:) allowed to rlogin... (see why below).
:) The quickie patch to fix this buffer overflow in Livingston Radius 1.16
:) follows:
:) #---[ cut here ]---
:) 58a59
:) > static char hostnamebuffer[100];
:) 67c68,69
:) < return(hp->h_name);
:) ---
:) > strncpy(hostnamebuffer, hp->h_name, 99);
:) > return(hostnamebuffer);
:) #---[ cut here ]---
_NEW_ when it was announced on BUGTRAQ over a month ago? I don't think
this patch really helps. The problem is that it is sprintf'd along with
other stuff into 128-byte buffers that overflow. Are you sure 28 bytes is
enogh for all of those other strings?
Steven P. Crain scrain@shore.net
Unix Administration and Programming
North Shore Access
- ---------- Forwarded message ----------
From: Brian Mitchell <brian@SATURN.NET>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Subject: radius
Date: Thu, 25 Jul 1996 02:05:03 -0400
There appears to be a few slight problems overflow wise in the radius
daemon. It uses a function called ip_hostname() (in util.c). This function
returns the hostname, it uses a static variable (128 bytes).
This in and of itself is not a good thing, however this returned hostname is
sprintf()'d a few times in the event of an error. Here is the
ip_hostname() function (util.c) and a list of functions (from radiusd.c)
that contain problems. Searching for ip_hostname() in radiusd.c is useful.
First, the ip_hostname() code:
char *
ip_hostname(ipaddr)
UINT4 ipaddr;
{
struct hostent *hp;
static char hstname[128];
UINT4 n_ipaddr;
n_ipaddr = htonl(ipaddr);
hp = gethostbyaddr((char *)&n_ipaddr, sizeof (struct in_addr),
AF_INET)
if (hp == 0) {
ipaddr2str(hstname, ipaddr);
return(hstname);
}
return(hp->h_name);
}
Most of these functions use a 128 byte char array that is stored on the
stack. They sprintf() a message + ip_hostname() to it and use msg as a
argument to log_err().
rad_spawn_child()
rad_passchange()
calc_digest()
Brian Mitchell brian@saturn.net
"I never give them hell. I just tell the truth and they think it's hell"
- - - H. Truman
- ------- End -------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Finger me for a public key.
iQB1AwUBMi2kw40DAXSiDippAQGmRwMAkpbHP4WDOoMeo0fpZM2kIhMErzDb1QiY
ea8XnAE9Sid9Mp2j6aNuTFVu56XtWdFJToMvAMYOolXNlIKp4OOzUAvyUfOBdeHH
xgc+vdnU9hpSXaB16loNIX/iALdYMdhc
=1SV3
-----END PGP SIGNATURE-----