Vendor statement re: CVE-2007-0080

3APA3A 3APA3A at SECURITY.NNOV.RU
Tue Jan 30 17:20:27 CET 2007 

Dear Alan, Robert,

To  clarify:  if  user  has access to configuration file he has multiple
_legal_  ways  to  execute  external  applications or code (e.g. use any
python  code,  specify  any  dynamic  library  as  a plugin, specify any
external  application as a processor for authentication request, etc) in
context of FreeRADIUS server.

That is, buffer overflow gives nothing to potential attacker. It doesn't
create any new attack vector.

--Monday, January 29, 2007, 8:13:13 PM, you wrote to chang_robert at bah.com:

AD> -----BEGIN PGP SIGNED MESSAGE-----
AD> Hash: SHA1

AD> Chang, Robert wrote:
>>    Thank you for bringing this to our attention.  I'm in the process of
>> updating this vulnerability with the vendor statement, the updated
>> evaluation, and the overview.  I've read the Security Focus thread, and
>> I understand the vector of attack is through the manipulation of a
>> configuration file (stored locally).

AD>   Yes.

>>  However, it seems like obtaining
>> additional access privileges is still possible if a normal user was
>> given write/complete access to the program's directory.

AD>   To me, that's a misconfiguration of local file permissions, and not a
AD> vulnerability in the server.

>>  Could you
>> please confirm that a local user with full access to application's
>> directory cannot gain root access to the machine?  If a local user can
>> gain root access, by default, Confidentiality, Integrity, and
>> Availability are set to complete.

AD>   If a local user can write to the config files, then *any* server
AD> available on the net is vulnerable to this attack.  There's no way for a
AD> server to reliably determine that users with write permission on the
AD> files are "authorized", or "unauthorized".

AD>   Since many servers can be configured to execute arbitrary programs,
AD> this "vulnerability" would appear to be common across a wide range of
AD> servers.  And in any case, it has nothing whatsoever to do with the SMB
AD> buffer overflow.  And users who cannot run arbitrary programs as root
AD> can still cause configuration file parse errors, and take down programs
AD> that are critical to a systems operation.

>>  Each NVD vulnerability is based on
>> worst-case, so the final scoring would reflect the worst case of root
>> access.  If this is impossible by design, then I'll be sure to update
>> the vulnerability accordingly.  Thank you again for your help.

AD>   Like many servers, FreeRADIUS permits arbitrary programs to be
AD> executed from the configuration files.  Buffer overflows are
AD> unnecessary, as there are ways to configure the server to directly
AD> execute arbitrary programs.  As a data point, I just tested Apache2.  It
AD> is similarly "vulnerable" to the "exploit" of local file permissions,
AD> since it also is able to run as "root".

AD>   If you list this as a vulnerability in FreeRADIUS, then I'm curious as
AD> to whether or not you'd accept a similar vulnerability notification for
AD> Apache2.  If so, I will submit one.  If not, please explain why.

AD>   I'm also curious as to how the server can determine that users with
AD> write permission are not, in fact, authorized to write to the
AD> configuration files.  Some minimal checking is possible, but it does not
AD> help in all circumstances, and it can likewise be bypassed by local file
AD> permission misconfigurations.

AD>   Alan DeKok
AD>   Project Leader
AD>   The FreeRADIUS Server Project
AD>   PGP key: http://freeradius.org/pgp/aland@freeradius.org
AD> -----BEGIN PGP SIGNATURE-----
AD> Version: GnuPG v1.4.6 (MingW32)
AD> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

AD> iQCVAwUBRb4rKakul4vkAkl9AQL6twP9EYmIxtWKmLMM5aeGvNNgznb6D43+Nlx3
AD> nL1yxSkFbN7bjYqKtPQ74MdDH4RaI3jYJktqOb8vqRrl3cxq/NBK67w1gC8y3tOT
AD> qqsVkjw5gHi6hYC4i79p2lVG/7SvFo2BTdAhlgkqewxNIYFcKAqdGUmjGsB+azfk
AD> 5yRQE1y+nzA=
AD> =BxuH
AD> -----END PGP SIGNATURE-----
AD> - 
AD> List info/subscribe/unsubscribe? See
AD> http://www.freeradius.org/list/devel.html


-- 
~/ZARAZA
Ñóùåñòâóþ ëèøü ÿ ñàì, íèêóäà íå ëåòÿ. (Ëåì)

More information about the Freeradius-Devel mailing list