Noxious injection for GNU Radius
As reported by iDefense, the GNU Radius authentication service fails to adequately filter user entries, allowing an attacker to inject SQL commands. These can be used to execute arbitrary system commands on the server in the context of the radius service - typically a root user. Versions 1.2 and 1.3 are affected and probably older versions, where Accounting is activated in the SQL database - which, according to the security bulletin, is the case for the FreeBSD and Gentoo systems tested. The error is in the SQL database accounting code, where the sqllog function is passed an unchecked parameter. The developers have released version 1.4, which contains a bug fix along with a number of other changes.
See also:
- GNU Radius Format String Vulnerability, security advisory from iDefense
- Lethal injection, SQL injection – attack and defence, background article on heise Security
(trk)