From owner-freebsd-bugbusters@FreeBSD.ORG Fri Feb 14 19:53:11 2014 Return-Path: Delivered-To: bugbusters@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F084AD2D for ; Fri, 14 Feb 2014 19:53:10 +0000 (UTC) Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by mx1.freebsd.org (Postfix) with ESMTP id AC98B1020 for ; Fri, 14 Feb 2014 19:53:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 2C37722404A8; Fri, 14 Feb 2014 20:52:33 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at power.freeradius.org Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6MN9KkrNUXv; Fri, 14 Feb 2014 20:52:32 +0100 (CET) Received: from Thor.local (unknown [70.50.217.206]) by power.freeradius.org (Postfix) with ESMTPSA id 9CDF922401D3; Fri, 14 Feb 2014 20:52:31 +0100 (CET) Message-ID: <52FE7400.4000808@freeradius.org> Date: Fri, 14 Feb 2014 14:52:32 -0500 From: Alan DeKok User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228) MIME-Version: 1.0 To: Pierre Carrier Subject: Re: freeradius denial of service in authentication flow References: <52FC1916.4060501@freeradius.org> In-Reply-To: X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: secalert , pkgsrc-security , security@ubuntu.com, security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org, bugbusters , product.security@airbnb.com X-BeenThere: freebsd-bugbusters@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Coordination of the Problem Report handling effort." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2014 19:53:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pierre Carrier wrote: > rlm_pap.c, mod_authorize, case PW_SSHA_PASSWORD calls normify(request, > vp, 20), which for base64-encoded values will invoke > base64_decode(vp->strvalue, buffer). > Nothing stops this base64_decode invokation from going over the buffer > boundary, a uint8_t[64] on the stack. OK. We've pushed changes to the v2.x.x, v3.0.x, and master branches. See commit 0d606cfc29a in the v2.x.x branch, and ff5147c9e5088c7 in v3.0.x. The "master" branch doesn't have an official release, so downstream users don't need to do anything for it. > Indeed, it is not a remote DoS, and I agree the practical implications > aren't too scary. Yes. > But, as a hypothetical, convoluted illustration: > A disgruntled employee could prevent all access to a company's > internal network without out-of-band intervention, including from > remote locations if the Radius infrastructure is centralized. > Such internal network access could be needed to revoke their credentials. And would be discovered pretty quickly. Alan DeKok. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBUv50AKkul4vkAkl9AQLP4QQAl+cnsN0DP1vZM2NHBGE9rl95m2RPBHJJ GxZQLePweYkFCP1urAqoGkyiKs6AclGysGyxzJFj1EVw9mBBKkR+CxsKs3Wyqyku w7zG57khJjf7HZdsn7ztnzJmx4SEygcfD1dEr+yjY/+ePt5fxOPUv2EHz7ouTRVM 2Y3PtVajBkc= =egp6 -----END PGP SIGNATURE-----