Vendor statement re: CVE-2007-0080
3APA3A at SECURITY.NNOV.RU
Tue Jan 30 17:20:27 CET 2007
Dear Alan, Robert,
To clarify: if user has access to configuration file he has multiple
_legal_ ways to execute external applications or code (e.g. use any
python code, specify any dynamic library as a plugin, specify any
external application as a processor for authentication request, etc) in
context of FreeRADIUS server.
That is, buffer overflow gives nothing to potential attacker. It doesn't
create any new attack vector.
--Monday, January 29, 2007, 8:13:13 PM, you wrote to chang_robert at bah.com:
AD> -----BEGIN PGP SIGNED MESSAGE-----
AD> Hash: SHA1
AD> Chang, Robert wrote:
>> Thank you for bringing this to our attention. I'm in the process of
>> updating this vulnerability with the vendor statement, the updated
>> evaluation, and the overview. I've read the Security Focus thread, and
>> I understand the vector of attack is through the manipulation of a
>> configuration file (stored locally).
>> However, it seems like obtaining
>> additional access privileges is still possible if a normal user was
>> given write/complete access to the program's directory.
AD> To me, that's a misconfiguration of local file permissions, and not a
AD> vulnerability in the server.
>> Could you
>> please confirm that a local user with full access to application's
>> directory cannot gain root access to the machine? If a local user can
>> gain root access, by default, Confidentiality, Integrity, and
>> Availability are set to complete.
AD> If a local user can write to the config files, then *any* server
AD> available on the net is vulnerable to this attack. There's no way for a
AD> server to reliably determine that users with write permission on the
AD> files are "authorized", or "unauthorized".
AD> Since many servers can be configured to execute arbitrary programs,
AD> this "vulnerability" would appear to be common across a wide range of
AD> servers. And in any case, it has nothing whatsoever to do with the SMB
AD> buffer overflow. And users who cannot run arbitrary programs as root
AD> can still cause configuration file parse errors, and take down programs
AD> that are critical to a systems operation.
>> Each NVD vulnerability is based on
>> worst-case, so the final scoring would reflect the worst case of root
>> access. If this is impossible by design, then I'll be sure to update
>> the vulnerability accordingly. Thank you again for your help.
AD> Like many servers, FreeRADIUS permits arbitrary programs to be
AD> executed from the configuration files. Buffer overflows are
AD> unnecessary, as there are ways to configure the server to directly
AD> execute arbitrary programs. As a data point, I just tested Apache2. It
AD> is similarly "vulnerable" to the "exploit" of local file permissions,
AD> since it also is able to run as "root".
AD> If you list this as a vulnerability in FreeRADIUS, then I'm curious as
AD> to whether or not you'd accept a similar vulnerability notification for
AD> Apache2. If so, I will submit one. If not, please explain why.
AD> I'm also curious as to how the server can determine that users with
AD> write permission are not, in fact, authorized to write to the
AD> configuration files. Some minimal checking is possible, but it does not
AD> help in all circumstances, and it can likewise be bypassed by local file
AD> permission misconfigurations.
AD> Alan DeKok
AD> Project Leader
AD> The FreeRADIUS Server Project
AD> PGP key: http://firstname.lastname@example.org
AD> -----BEGIN PGP SIGNATURE-----
AD> Version: GnuPG v1.4.6 (MingW32)
AD> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
AD> -----END PGP SIGNATURE-----
AD> List info/subscribe/unsubscribe? See
Ñóùåñòâóþ ëèøü ÿ ñàì, íèêóäà íå ëåòÿ. (Ëåì)
More information about the Freeradius-Devel