Vendor statement re: CVE-2007-0080

Alan DeKok aland at freeradius.org
Mon Jan 29 18:13:13 CET 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chang, Robert wrote:
>    Thank you for bringing this to our attention.  I'm in the process of
> updating this vulnerability with the vendor statement, the updated
> evaluation, and the overview.  I've read the Security Focus thread, and
> I understand the vector of attack is through the manipulation of a
> configuration file (stored locally).

  Yes.

>  However, it seems like obtaining
> additional access privileges is still possible if a normal user was
> given write/complete access to the program's directory.

  To me, that's a misconfiguration of local file permissions, and not a
vulnerability in the server.

>  Could you
> please confirm that a local user with full access to application's
> directory cannot gain root access to the machine?  If a local user can
> gain root access, by default, Confidentiality, Integrity, and
> Availability are set to complete.

  If a local user can write to the config files, then *any* server
available on the net is vulnerable to this attack.  There's no way for a
server to reliably determine that users with write permission on the
files are "authorized", or "unauthorized".

  Since many servers can be configured to execute arbitrary programs,
this "vulnerability" would appear to be common across a wide range of
servers.  And in any case, it has nothing whatsoever to do with the SMB
buffer overflow.  And users who cannot run arbitrary programs as root
can still cause configuration file parse errors, and take down programs
that are critical to a systems operation.

>  Each NVD vulnerability is based on
> worst-case, so the final scoring would reflect the worst case of root
> access.  If this is impossible by design, then I'll be sure to update
> the vulnerability accordingly.  Thank you again for your help.

  Like many servers, FreeRADIUS permits arbitrary programs to be
executed from the configuration files.  Buffer overflows are
unnecessary, as there are ways to configure the server to directly
execute arbitrary programs.  As a data point, I just tested Apache2.  It
is similarly "vulnerable" to the "exploit" of local file permissions,
since it also is able to run as "root".

  If you list this as a vulnerability in FreeRADIUS, then I'm curious as
to whether or not you'd accept a similar vulnerability notification for
Apache2.  If so, I will submit one.  If not, please explain why.

  I'm also curious as to how the server can determine that users with
write permission are not, in fact, authorized to write to the
configuration files.  Some minimal checking is possible, but it does not
help in all circumstances, and it can likewise be bypassed by local file
permission misconfigurations.

  Alan DeKok
  Project Leader
  The FreeRADIUS Server Project
  PGP key: http://freeradius.org/pgp/aland@freeradius.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRb4rKakul4vkAkl9AQL6twP9EYmIxtWKmLMM5aeGvNNgznb6D43+Nlx3
nL1yxSkFbN7bjYqKtPQ74MdDH4RaI3jYJktqOb8vqRrl3cxq/NBK67w1gC8y3tOT
qqsVkjw5gHi6hYC4i79p2lVG/7SvFo2BTdAhlgkqewxNIYFcKAqdGUmjGsB+azfk
5yRQE1y+nzA=
=BxuH
-----END PGP SIGNATURE-----



More information about the Freeradius-Devel mailing list