Headline
CVE-2021-46854: mod_radius: memory disclosure to radius server · Issue #1284 · proftpd/proftpd
mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS servers because it copies blocks of 16 characters.
What I Did
We have noticed a disclosure of memory contents from mod_radius to RADIUS servers.
mod_radius copies the client-supplied password into a temporary
buffer to encrypt it with the RADIUS shared secret. However, it
does so obeying some padding rules: i.e. it is expected that the
password has a length multiple of 16.
If the password length is not an exact multiple, mod_radius still
copies the “rounded up” count of bytes from the password buffer into
the temporary buffer, thereby leaking whatever happens to occur past
the actual password. For FTP session, this often seems to be a copy
of the password, preceded by some 0 bytes, and tailed by some
garbage. We have not evaluated if SFTP sessions may leak other
secrets.
This can be reproduced very well with very short passwords. From a
FreeRADIUS radiusd debug log, you can observe the duplication of the
password “12345” here:
(0) Received Access-Request Id 94 from 10.12.16.61:24712 to 10.12.16.26:1812 length 133
(0) User-Name = “[email protected]”
(0) User-Password = “012345\000\000012345\000d”
(0) NAS-Identifier = “ftp”
(0) NAS-IP-Address = 10.12.16.61
(0) NAS-Port = 21
(0) NAS-Port-Type = Virtual
What I Expected/Wanted
proftpd should send just the user password, and nothing else.
ProFTPD Version and Configuration
I’ve specifically tested this with 1.3.3c (from source), 1.3.6-4+deb10u5 (from Debian) and git cba3a1a.