|
|
|
Credit:
The information has been provided by Gabriel Campana and Laurent Butti.
The original article can be found at: http://www.cisco.com/warp/public/707/cisco-sr-20080903-csacs.shtml
|
|
Vulnerable Systems:
* Cisco Secure ACS that support EAP
A remote attacker (acting as a RADIUS client) could send a specially crafted EAP Response packet against a Cisco Secure ACS server in such a way as to cause the CSRadius service to crash (reliable). This bug may be triggered if the length field of an EAP-Response packet has a certain big value, greater than the real packet length. Any EAP-Response can trigger this bug: EAP-Response/Identity, EAP-Response/MD5, EAP-Response/TLS, etc.
An EAP packet is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Identity...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* For example, the following packet will trigger the vulnerability and crash CSRadius.exe:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2 | 0 | 0xdddd |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 | abcd
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Attack Impact:
Denial-of-service and possibly remote arbitrary code execution
Attack Vector:
Have access as a RADIUS client (knowing or guessing the RADIUS shared secret) or from an unauthenticated wireless device if the access point relays malformed EAP frames
CVE Information:
CVE-2008-2441
|
|
|
|