CVE-1999-0244

Step 1: Target Identification: The attacker identifies a Livingston RADIUS server on the network, likely through port scanning (UDP/1812, UDP/1813). Step 2: Payload Crafting: The attacker constructs a malicious RADIUS packet. This packet contains an attribute with a value that exceeds the allocated buffer size within the vulnerable Livingston RADIUS code. The attacker carefully crafts the payload to overwrite specific memory locations. Step 3: Packet Delivery: The attacker sends the crafted RADIUS packet to the target server. Step 4: Buffer Overflow Trigger: The RADIUS server receives the malicious packet and attempts to process the oversized attribute value. The overflow occurs, overwriting adjacent memory. Step 5: Code Execution: The attacker's crafted payload overwrites a function pointer or other control data. When the program attempts to execute the overwritten function, it instead executes the attacker's injected code, granting the attacker root access.

The vulnerability stems from a buffer overflow in the Livingston RADIUS code. Specifically, the code likely fails to properly validate the size of data received from a network request, such as an authentication request. When a specially crafted packet containing an overly long string is sent to the RADIUS server, the data overflows a fixed-size buffer allocated in memory. This overwrites adjacent memory locations, potentially including critical program data like function pointers or control structures. By carefully crafting the malicious input, an attacker can overwrite these memory locations with their own code, leading to arbitrary code execution with the privileges of the RADIUS server, which is often root.