Apache mod_auth_radius Malformed RADIUS Server Reply Integer Overflow Vulnerability
BID:12217
Info
Apache mod_auth_radius Malformed RADIUS Server Reply Integer Overflow Vulnerability
| Bugtraq ID: | 12217 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2005-0108 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 10 2005 12:00AM |
| Updated: | Jul 12 2009 09:27AM |
| Credit: | Discovery is credited to LSS Security <[email protected]>. |
| Vulnerable: |
mod_auth_radius mod_auth_radius 1.5.4 mod_auth_radius mod_auth_radius 1.5.2 mod_auth_radius mod_auth_radius 1.5 mod_auth_radius mod_auth_radius 1.3.9 Debian Linux 3.0 sparc Debian Linux 3.0 s/390 Debian Linux 3.0 ppc Debian Linux 3.0 mipsel Debian Linux 3.0 mips Debian Linux 3.0 m68k Debian Linux 3.0 ia-64 Debian Linux 3.0 ia-32 Debian Linux 3.0 hppa Debian Linux 3.0 arm Debian Linux 3.0 alpha Debian Linux 3.0 |
| Not Vulnerable: | |
Discussion
Apache mod_auth_radius Malformed RADIUS Server Reply Integer Overflow Vulnerability
mod_auth_radius is reported prone to an integer overflow vulnerability. This issue is due to an error in the application when handling server-supplied integer values before these values are employed as the size argument in a subsequent memory copy operation.
To exploit this vulnerability, an attacker must control a RADIUS server or intercept network traffic and send spoofed RADIUS replies to the Apache server. Successful exploitation may result in memory corruption and allow for arbitrary code execution.
All versions of mod_auth_radius are considered vulnerable at the moment.
mod_auth_radius is reported prone to an integer overflow vulnerability. This issue is due to an error in the application when handling server-supplied integer values before these values are employed as the size argument in a subsequent memory copy operation.
To exploit this vulnerability, an attacker must control a RADIUS server or intercept network traffic and send spoofed RADIUS replies to the Apache server. Successful exploitation may result in memory corruption and allow for arbitrary code execution.
All versions of mod_auth_radius are considered vulnerable at the moment.
Exploit / POC
Apache mod_auth_radius Malformed RADIUS Server Reply Integer Overflow Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
A proof of concept is available:
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
A proof of concept is available:
Solution / Fix
Apache mod_auth_radius Malformed RADIUS Server Reply Integer Overflow Vulnerability
Solution:
Debian Linux has released advisory DSA-659-1 addressing this issue. Please see the referenced advisory for more information.
Debian Linux 3.0 hppa
Debian Linux 3.0 ppc
Debian Linux 3.0 s/390
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0 mips
Debian Linux 3.0 ia-32
Debian Linux 3.0 mipsel
Debian Linux 3.0 m68k
Debian Linux 3.0 sparc
Debian Linux 3.0 ia-64
Solution:
Debian Linux has released advisory DSA-659-1 addressing this issue. Please see the referenced advisory for more information.
Debian Linux 3.0 hppa
-
Debian libpam-radius-auth_1.3.14-1.3_hppa.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_hppa.deb
Debian Linux 3.0 ppc
-
Debian libpam-radius-auth_1.3.14-1.3_powerpc.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_powerpc.deb
Debian Linux 3.0 s/390
-
Debian libpam-radius-auth_1.3.14-1.3_s390.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_s390.deb
Debian Linux 3.0 arm
-
Debian libpam-radius-auth_1.3.14-1.3_arm.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_arm.deb
Debian Linux 3.0 alpha
-
Debian libpam-radius-auth_1.3.14-1.3_alpha.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_alpha.deb
Debian Linux 3.0 mips
-
Debian libpam-radius-auth_1.3.14-1.3_mips.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_mips.deb
Debian Linux 3.0 ia-32
-
Debian libpam-radius-auth_1.3.14-1.3_i386.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_i386.deb
Debian Linux 3.0 mipsel
-
Debian libpam-radius-auth_1.3.14-1.3_mipsel.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_mipsel.deb
Debian Linux 3.0 m68k
-
Debian libpam-radius-auth_1.3.14-1.3_m68k.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_m68k.deb
Debian Linux 3.0 sparc
-
Debian libpam-radius-auth_1.3.14-1.3_sparc.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_sparc.deb
Debian Linux 3.0 ia-64
-
Debian libpam-radius-auth_1.3.14-1.3_ia64.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/libp/libpam-radius-auth/l ibpam-radius-auth_1.3.14-1.3_ia64.deb
References
Apache mod_auth_radius Malformed RADIUS Server Reply Integer Overflow Vulnerability
References:
References:
- mod_auth_radius Home Page (mod_auth_radius)