freeradius denial of service in authentication flow

[Pierre Carrier]

Hello,


When freeradius verifies a password sent via RLM-PAP against an LDAP
server, some passwords will cause a stack overflow.

Some forms of SSHA, including forms that would be validated by servers
applying standard constraints on the user's password attribute, will
generate lengths over 64 bytes after hex-decoding.

This can lead to such backtraces (observed with
2.1.10+dfsg-3ubuntu0.12.04.1, confirmed to be problematic upstream):
Program terminated with signal 6, Aborted.
#0  0x00007f3f4e682425 in __GI_raise (sig=<optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007f3f4e682425 in __GI_raise (sig=<optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f3f4e685b8b in __GI_abort () at abort.c:91
#2  0x00007f3f4e6c039e in __libc_message (do_abort=2,
fmt=0x7f3f4e7c857f "*** %s ***: %s terminated\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:201
#3  0x00007f3f4e756f47 in __GI___fortify_fail (msg=0x7f3f4e7c8567
"stack smashing detected") at fortify_fail.c:32
#4  0x00007f3f4e756f10 in __stack_chk_fail () at stack_chk_fail.c:29
#5  0x00007f3f4a103732 in normify (request=0x7f3f44001db0,
vp=0x7f3f440179a0, min_length=20) at rlm_pap.c:281
#6  0x00007f3f4a1037fa in pap_authorize (instance=0xce9160,
request=0x6366306464353863) at rlm_pap.c:404
#7  0x000000000041baed in call_modsingle (request=0x7f3f44001db0,
component=1, sp=<optimized out>) at modcall.c:297
#8  modcall (component=1, c=0xd529d0, request=<optimized out>) at modcall.c:670
#9  0x000000000041aa48 in indexed_modcall (comp=1, idx=0,
request=0x7f3f44001db0) at modules.c:728
#10 0x0000000000409d96 in rad_authenticate (request=0x7f3f44001db0) at
auth.c:567
#11 0x00007f3f43182ef6 in eapttls_process (handler=<optimized out>,
tls_session=0x7f3f44002c80) at ttls.c:1184
#12 0x00007f3f43181614 in eapttls_authenticate (arg=0xd44930,
handler=0x7f3f44016010) at rlm_eap_ttls.c:269
#13 0x00007f3f48087d0c in eaptype_call (atype=0xd4c750,
handler=0x7f3f44016010) at eap.c:175
#14 0x00007f3f4808811d in eaptype_select (inst=0xd26e50,
handler=<optimized out>) at eap.c:409
#15 0x00007f3f4808776b in eap_authenticate (request=0xd5e400,
instance=0xd26e50) at rlm_eap.c:319
#16 eap_authenticate (instance=0xd26e50, request=0xd5e400) at rlm_eap.c:281
#17 0x000000000041baed in call_modsingle (request=0xd5e400,
component=0, sp=<optimized out>) at modcall.c:297
#18 modcall (component=0, c=0xd4bf80, request=<optimized out>) at modcall.c:670
#19 0x000000000041aa48 in indexed_modcall (comp=0, idx=220797,
request=0xd5e400) at modules.c:728
#20 0x000000000040a2e9 in rad_check_password (request=0xd5e400) at auth.c:373
#21 rad_authenticate (request=0xd5e400) at auth.c:653
#22 0x000000000042810e in radius_handle_request (request=0xd5e400,
fun=0x409aa0 <rad_authenticate>) at event.c:3776
#23 0x000000000041f6b1 in request_handler_thread (arg=0xd5d970) at threads.c:525
#24 0x00007f3f4f231e9a in start_thread (arg=0x7f3f41372700) at
pthread_create.c:308
#25 0x00007f3f4e7403fd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#26 0x0000000000000000 in ?? ()

Terrible hotfix quickly packaged to avoid constant crashes here, does
not address the vulnerability:

--- freeradius-2.1.10+dfsg.orig/src/modules/rlm_pap/rlm_pap.c
+++ freeradius-2.1.10+dfsg/src/modules/rlm_pap/rlm_pap.c
@@ -244,7 +244,7 @@
 static void normify(REQUEST *request, VALUE_PAIR *vp, size_t min_length)
 {
  size_t decoded;
- uint8_t buffer[64];
+ uint8_t buffer[4096];

  if (min_length >= sizeof(buffer)) return; /* paranoia */



On environments where such an issue did not arise previously, a user
allowed to provide *validated* SSHA values to their LDAP servers can
easily trigger denial of services, as the freeradius server will crash
on every authentication attempt.

This E-mail is sent to the current upstream maintainer and vendors
distributing a package/port.


Best,

-- 
Pierre Carrier
Site Reliability Engineer, Airbnb