Dear Alan, Robert, To clarify: if user has access to configuration file he has multiple _legal_ ways to execute external applications or code (e.g. use any python code, specify any dynamic library as a plugin, specify any external application as a processor for authentication request, etc) in context of FreeRADIUS server. That is, buffer overflow gives nothing to potential attacker. It doesn't create any new attack vector. --Monday, January 29, 2007, 8:13:13 PM, you wrote to chang_robert@bah.com: AD> -----BEGIN PGP SIGNED MESSAGE----- AD> Hash: SHA1 AD> Chang, Robert wrote:
Thank you for bringing this to our attention. I'm in the process of updating this vulnerability with the vendor statement, the updated evaluation, and the overview. I've read the Security Focus thread, and I understand the vector of attack is through the manipulation of a configuration file (stored locally).
AD> Yes.
However, it seems like obtaining additional access privileges is still possible if a normal user was given write/complete access to the program's directory.
AD> To me, that's a misconfiguration of local file permissions, and not a AD> vulnerability in the server.
Could you please confirm that a local user with full access to application's directory cannot gain root access to the machine? If a local user can gain root access, by default, Confidentiality, Integrity, and Availability are set to complete.
AD> If a local user can write to the config files, then *any* server AD> available on the net is vulnerable to this attack. There's no way for a AD> server to reliably determine that users with write permission on the AD> files are "authorized", or "unauthorized". AD> Since many servers can be configured to execute arbitrary programs, AD> this "vulnerability" would appear to be common across a wide range of AD> servers. And in any case, it has nothing whatsoever to do with the SMB AD> buffer overflow. And users who cannot run arbitrary programs as root AD> can still cause configuration file parse errors, and take down programs AD> that are critical to a systems operation.
Each NVD vulnerability is based on worst-case, so the final scoring would reflect the worst case of root access. If this is impossible by design, then I'll be sure to update the vulnerability accordingly. Thank you again for your help.
AD> Like many servers, FreeRADIUS permits arbitrary programs to be AD> executed from the configuration files. Buffer overflows are AD> unnecessary, as there are ways to configure the server to directly AD> execute arbitrary programs. As a data point, I just tested Apache2. It AD> is similarly "vulnerable" to the "exploit" of local file permissions, AD> since it also is able to run as "root". AD> If you list this as a vulnerability in FreeRADIUS, then I'm curious as AD> to whether or not you'd accept a similar vulnerability notification for AD> Apache2. If so, I will submit one. If not, please explain why. AD> I'm also curious as to how the server can determine that users with AD> write permission are not, in fact, authorized to write to the AD> configuration files. Some minimal checking is possible, but it does not AD> help in all circumstances, and it can likewise be bypassed by local file AD> permission misconfigurations. AD> Alan DeKok AD> Project Leader AD> The FreeRADIUS Server Project AD> PGP key: http://freeradius.org/pgp/aland@freeradius.org AD> -----BEGIN PGP SIGNATURE----- AD> Version: GnuPG v1.4.6 (MingW32) AD> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org AD> iQCVAwUBRb4rKakul4vkAkl9AQL6twP9EYmIxtWKmLMM5aeGvNNgznb6D43+Nlx3 AD> nL1yxSkFbN7bjYqKtPQ74MdDH4RaI3jYJktqOb8vqRrl3cxq/NBK67w1gC8y3tOT AD> qqsVkjw5gHi6hYC4i79p2lVG/7SvFo2BTdAhlgkqewxNIYFcKAqdGUmjGsB+azfk AD> 5yRQE1y+nzA= AD> =BxuH AD> -----END PGP SIGNATURE----- AD> - AD> List info/subscribe/unsubscribe? See AD> http://www.freeradius.org/list/devel.html -- ~/ZARAZA Ñóùåñòâóþ ëèøü ÿ ñàì, íèêóäà íå ëåòÿ. (Ëåì)