CVE-2003-0967

FreeRADIUS < 0.9.2 - Denial of Service via Short RADIUS String Attribute with Tag

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2003-0967. PoCs published by Evgeny Legerov.

AI-analyzed exploit summary This exploit demonstrates a heap-corruption vulnerability in FreeRADIUS by sending a malformed packet with a specific tag-field input. The provided command crafts a packet and sends it via netcat to trigger the vulnerability, potentially causing a denial of service.

Description

rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Evgeny Legerov · textdoslinux

https://www.exploit-db.com/exploits/23391

View Code ZIP pw:eip

This exploit demonstrates a heap-corruption vulnerability in FreeRADIUS by sending a malformed packet with a specific tag-field input. The provided command crafts a packet and sends it via netcat to trigger the vulnerability, potentially causing a denial of service.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: FreeRADIUS 0.4.0 through 0.9.2, 1.1.3 through 1.1.7

No auth needed

Prerequisites: Network access to the vulnerable FreeRADIUS server · Netcat or similar tool for sending UDP packets

MITRE ATT&CK