freeradius-smbconnectserver-bo (31248) feedback

Alan DeKok aland at freeradius.org
Mon Jan 29 12:49:55 CET 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Please update your database with the following vendor statement re:
the FreeRADIUS SMB_Connect_Server issue.

- -- Official Vendor Statement from the FreeRADIUS Server project

This issue is not a security vulnerability.  The exploit is available
only to local administrators who have write access to the server
configuration files.  As such, this issue has no security impact on any
system running FreeRADIUS.

- -- Official Vendor Statement from the FreeRADIUS Server project

  The current "Description" is, in fact, nonsensical:

> By sending a specially-crafted SMB request containing a malformed
> Con_Handle parameter, a remote attacker could overflow a buffer and
> execute arbitrary code on the system.

  "Con_Handle" is a data structure inside of the server, and is
therefore never sent in a SMB request.  The issue is not remotely
exploitable, and we are curious as to how ISS arrived at the above text.
 The original notification did not state that the problem was remotely
exploitable.

  We suggest the following text for the Description, Remedy, and
Consequences sections:

- -- Description

FreeRADIUS is vulnerable to a buffer overflow, caused by improper bounds
checking by the SMB_Connect_Server() function of the SMB_Handle_Type
class.  Local administrators can update the configuration file to
overflow a buffer when the server starts.  This issue cannot be
exploited remotely, and can only be exploited by users who have write
access to the server configuration files.

- -- Description:

- -- Remedy:

Administrators should ensure that unauthorized users do not have write
access to the server configuration files.

- -- Remedy:

- -- Consequences:

None.

- -- Consequences:

  This issue is not a real vulnerability, and we therefore request that
you update your database to indicate that.

  Alan DeKok.
  Project Leader
  The FreeRADIUS Server Project
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRb3fY6kul4vkAkl9AQJtUQQAhOLB4VO3zwNBdPKqTbdTTAA+kgFW66ew
NRd1I8pZah0aUUeVCX/+fNC6E6HuWjs93oyJ/Rqi4acK/5EEVxLubMmsQnIDd9+i
XFdXIsZSz+e2n8Kc1hxIcgNTnc3ZXretUeIOBxUGngcVLwmTtfGGfK/uZVjw4iHV
PGOKIEeG5cQ=
=TkSw
-----END PGP SIGNATURE-----



More information about the Freeradius-Devel mailing list