[PRE-SA-2012-06] FreeRADIUS: Stack Overflow in TLS-based EAP Methods

2012-09-18T00:00:00
ID SECURITYVULNS:DOC:28563
Type securityvulns
Reporter Securityvulns
Modified 2012-09-18T00:00:00

Description

PRE-CERT Security Advisory

  • Advisory: PRE-SA-2012-06
  • Released on: 10 September 2012
  • Affected product: FreeRADIUS 2.1.10 - 2.1.12
  • Impact: remote code execution
  • Origin: specially crafted client certificates
  • CVSS Base Score: 10 Impact Subscore: 10 Exploitability Subscore: 10 CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  • Credit: Timo Warns (PRESENSE Technologies GmbH)
  • CVE Identifier: CVE-2012-3547

Summary

A stack overflow vulnerability has been identified in FreeRADIUS that allows to remotely execute arbitrary code via specially crafted client certificates (before authentication). The vulnerability affects setups using TLS-based EAP methods (including EAP-TLS, EAP-TTLS, and PEAP).

FreeRADIUS defines a callback function cbtls_verify() for certificate verification. The function has a local buf array with a size of 64 bytes. It copies the validity timestamp "not after" of a client certificate to the buf array:

asn_time = X509_get_notAfter(client_cert);
if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
    memcpy(buf, (char*) asn_time->data, asn_time->length);
    buf[asn_time->length] = '\0';

The MAX_STRING_LEN constant is defined to be 254. If asn_time->length is greater than 64 bytes, but less than 254 bytes, buf overflows via the memcpy.

Depending on the stack layout chosen by the compiler, the vulnerability allows to overflow the return address on the stack, which can be exploited for code execution.

Solution

The issue has been fixed in FreeRADIUS 2.2.0. Updates should be installed as soon as possible.

References

When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt

Contact

PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/.