FreeRADIUS SMB_Connect_Server() buffer overflow

freeradius-smbconnectserver-bo (31248) The risk level is classified as HighHigh Risk

Description:

FreeRADIUS is vulnerable to a buffer overflow, caused by improper bounds checking by the SMB_Connect_Server() function of the SMB_Handle_Type class. A user with local administrative privileges can update the configuration file to overflow a buffer when the server starts. This can only be exploited by users who have write access to the server configuration files.

Platforms Affected:

  • FreeRADIUS, FreeRADIUS 1.1.3 and prior

Remedy:

No remedy available as of December 2007.

Consequences:

Gain Privileges

References:

  • BugTraq Mailing List, Tue Jan 02 2007 - 06:10:50 CST , FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution at http://archives.neohapsis.com/archives/bugtraq/2007-01/0032.html.
  • FreeRADIUS Mailing List, Mon Jan 29 12:49:55 CET 2007, freeradius-smbconnectserver-bo (31248) feedback at https://lists.freeradius.org/pipermail/freeradius-devel/2007-January/010717.html.
  • CVE-2007-0080: ** DISPUTED ** Buffer overflow in the SMB_Connect_Server function in FreeRadius 1.1.3 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. NOTE: the impact of this issue has been disputed by a reliable third party and the vendor, who states that exploitation is limited only to local administrators who have write access to the server configuration files. CVE concurs with the dispute.
  • SECTRACK ID: 1017463: [Vendor Disputes Security Impact] FreeRADIUS Buffer Overflow in SMB_Connect_Server() Function Lets Local Users Execute Arbitrary Code

Reported:

Jan 02, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page