Title: Lucent RADIUS Remote Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
The Lucent RADIUS implementation is a user authentication software package designed to offer enhanced security services to users needing remote access to various resources. The package is no longer maintained by Lucent, and is public domain.
A problem with the software package makes it possible for remote users to execute arbitrary code. In the event that this vulnerability is exploited, a remote user can gain local access to the system. The daemon, by default, runs as root, which also may allow a remote user to gain local administrative privileges.
Multiple buffer overflows within the Lucent RADIUS package may be taken advantage of to aid in the compromising of a remote system. Due to insufficient sanity checking of user supplied data in various components of the package such as the logging facilities of radiusd, it is possible for a remote user to create a buffer overflow, which could result in the overwriting of variables on the stack, including the return address.
There have been a minimum of 11 different buffer overflows found throughout the Lucent RADIUS source code. Numerous routines within log.c, menu.c, version.c, radiusd.c, and users.c make use of functions which are inherently insecure.
sprintf() is used frequently. The sprintf function is used to construct a string using printf functionality and store it in a supplied buffer. sprintf does not enforce a size limit on the string being created. If attackers can force the creation of a string larger in size than the buffer to which it will be written, an overrun can occur.
Another commonly occurring problem within the program is the use of strcpy(), which performs unbounded copies of one string to another. This function can be exploited to cause a buffer overflow, and code execution.
Finally, there are off-by-one buffer overflows within the program, that may be exploitable by attackers to execute arbitrary code, and potenially gain elevated privileges.
Affected Products:
- Simon Horms RADIUS 2.1.0 -2
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
