From owner-freebsd-bugbusters@FreeBSD.ORG Wed Feb 12 22:55:07 2014 Return-Path: Delivered-To: bugbusters@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 835BA3EB for ; Wed, 12 Feb 2014 22:55:07 +0000 (UTC) Received: from mail-we0-f176.google.com (mail-we0-f176.google.com [74.125.82.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1B6C017C7 for ; Wed, 12 Feb 2014 22:55:06 +0000 (UTC) Received: by mail-we0-f176.google.com with SMTP id q58so6554927wes.21 for ; Wed, 12 Feb 2014 14:55:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=/G1YFBbJgtZOeki6UNMQkq7PSgXP9Kd2o3BXNG10U7g=; b=YV4ThBwJ8YXfL+xdI5wdB6AVCmt7lIj9FqAypGTv3hF1PIAb8GaDfOY9kN3ar0kI4i nRBRi8dOfLCblviNSJgs/d7mMLpbpUYvn5ucfTt3sDdx/ouYzTENOAl23XMvkHdnrUzL 5sgt8S0/GntIp6EL4nr1B+DXlu4KwC0jQwDniFXths9DU+Sxu8iXj3DPLwks4YEl/ftR 4Kdt89OIQABG5kZcHv07nVAiHnqBdJTjMd8yeOEqP6tDgiaZN1IZ7To4Du3rNFhtqfp5 2tRfd9KQ8fk5b8z/CYt+GQQ7f44mroAyFrecbIYKouYLqq4i3hqgGsqzFPnBC9K3aQE+ Bsig== X-Gm-Message-State: ALoCoQm9Y++v/N6cKNgWLdhhGGaoSG8RU83iBgPuE12fqQAJq3C/scjQIN077s7Nfb2PgIAlPbXr X-Received: by 10.194.6.8 with SMTP id w8mr32157967wjw.16.1392243877645; Wed, 12 Feb 2014 14:24:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.241.168 with HTTP; Wed, 12 Feb 2014 14:24:17 -0800 (PST) From: Pierre Carrier Date: Wed, 12 Feb 2014 14:24:17 -0800 Message-ID: Subject: freeradius denial of service in authentication flow To: security@freeradius.org, secalert , security@debian.org, security@ubuntu.com, pupykin.s+arch@gmail.com, pkgsrc-security , bugbusters , product.security@airbnb.com Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-bugbusters@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Coordination of the Problem Report handling effort." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 22:55:07 -0000 Hello, When freeradius verifies a password sent via RLM-PAP against an LDAP server, some passwords will cause a stack overflow. Some forms of SSHA, including forms that would be validated by servers applying standard constraints on the user's password attribute, will generate lengths over 64 bytes after hex-decoding. This can lead to such backtraces (observed with 2.1.10+dfsg-3ubuntu0.12.04.1, confirmed to be problematic upstream): Program terminated with signal 6, Aborted. #0 0x00007f3f4e682425 in __GI_raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007f3f4e682425 in __GI_raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007f3f4e685b8b in __GI_abort () at abort.c:91 #2 0x00007f3f4e6c039e in __libc_message (do_abort=2, fmt=0x7f3f4e7c857f "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201 #3 0x00007f3f4e756f47 in __GI___fortify_fail (msg=0x7f3f4e7c8567 "stack smashing detected") at fortify_fail.c:32 #4 0x00007f3f4e756f10 in __stack_chk_fail () at stack_chk_fail.c:29 #5 0x00007f3f4a103732 in normify (request=0x7f3f44001db0, vp=0x7f3f440179a0, min_length=20) at rlm_pap.c:281 #6 0x00007f3f4a1037fa in pap_authorize (instance=0xce9160, request=0x6366306464353863) at rlm_pap.c:404 #7 0x000000000041baed in call_modsingle (request=0x7f3f44001db0, component=1, sp=) at modcall.c:297 #8 modcall (component=1, c=0xd529d0, request=) at modcall.c:670 #9 0x000000000041aa48 in indexed_modcall (comp=1, idx=0, request=0x7f3f44001db0) at modules.c:728 #10 0x0000000000409d96 in rad_authenticate (request=0x7f3f44001db0) at auth.c:567 #11 0x00007f3f43182ef6 in eapttls_process (handler=, tls_session=0x7f3f44002c80) at ttls.c:1184 #12 0x00007f3f43181614 in eapttls_authenticate (arg=0xd44930, handler=0x7f3f44016010) at rlm_eap_ttls.c:269 #13 0x00007f3f48087d0c in eaptype_call (atype=0xd4c750, handler=0x7f3f44016010) at eap.c:175 #14 0x00007f3f4808811d in eaptype_select (inst=0xd26e50, handler=) at eap.c:409 #15 0x00007f3f4808776b in eap_authenticate (request=0xd5e400, instance=0xd26e50) at rlm_eap.c:319 #16 eap_authenticate (instance=0xd26e50, request=0xd5e400) at rlm_eap.c:281 #17 0x000000000041baed in call_modsingle (request=0xd5e400, component=0, sp=) at modcall.c:297 #18 modcall (component=0, c=0xd4bf80, request=) at modcall.c:670 #19 0x000000000041aa48 in indexed_modcall (comp=0, idx=220797, request=0xd5e400) at modules.c:728 #20 0x000000000040a2e9 in rad_check_password (request=0xd5e400) at auth.c:373 #21 rad_authenticate (request=0xd5e400) at auth.c:653 #22 0x000000000042810e in radius_handle_request (request=0xd5e400, fun=0x409aa0 ) at event.c:3776 #23 0x000000000041f6b1 in request_handler_thread (arg=0xd5d970) at threads.c:525 #24 0x00007f3f4f231e9a in start_thread (arg=0x7f3f41372700) at pthread_create.c:308 #25 0x00007f3f4e7403fd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #26 0x0000000000000000 in ?? () Terrible hotfix quickly packaged to avoid constant crashes here, does not address the vulnerability: --- freeradius-2.1.10+dfsg.orig/src/modules/rlm_pap/rlm_pap.c +++ freeradius-2.1.10+dfsg/src/modules/rlm_pap/rlm_pap.c @@ -244,7 +244,7 @@ static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length) { size_t decoded; - uint8_t buffer[64]; + uint8_t buffer[4096]; if (min_length >= sizeof(buffer)) return; /* paranoia */ On environments where such an issue did not arise previously, a user allowed to provide *validated* SSHA values to their LDAP servers can easily trigger denial of services, as the freeradius server will crash on every authentication attempt. This E-mail is sent to the current upstream maintainer and vendors distributing a package/port. Best, -- Pierre Carrier Site Reliability Engineer, Airbnb