Stack-based buffer overflow in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted RADIUS Accounting-Request packet.
Cisco Secure Access Control Server (ACS) for Windows is vulnerable to a critical remote code execution (RCE) vulnerability. Exploiting a stack-based buffer overflow in the CSRadius service allows attackers to inject and execute arbitrary code, potentially leading to complete system compromise and data exfiltration. This vulnerability is particularly dangerous due to its impact on network access control and authentication, enabling attackers to bypass security measures.
Step 1: Packet Crafting: The attacker crafts a malicious RADIUS Accounting-Request packet. This packet contains specially crafted attributes designed to overflow a buffer in the CSRadius service.
Step 2: Packet Delivery: The attacker sends the crafted RADIUS Accounting-Request packet to the vulnerable Cisco ACS server, typically over UDP port 1813 or 1646 (accounting).
Step 3: Vulnerability Trigger: The CSRadius service receives and processes the malicious packet. The service attempts to parse the attributes within the packet.
Step 4: Buffer Overflow: During the processing of the crafted attributes, the service copies the attacker-controlled data into a fixed-size buffer on the stack. Due to the lack of bounds checking, the attacker's data overflows the buffer.
Step 5: Control Hijack: The overflow overwrites critical stack data, including the return address of the function. The attacker's crafted data now contains a new return address.
Step 6: Code Execution: When the function returns, the CPU jumps to the attacker-controlled address, executing the attacker's malicious code (e.g., a shellcode payload). This shellcode can then perform actions such as installing backdoors, stealing credentials, or gaining further access to the network.
The vulnerability stems from a stack-based buffer overflow within the CSRadius service of Cisco ACS for Windows. Specifically, the service fails to properly validate the size of data within a crafted RADIUS Accounting-Request packet. When processing this packet, the service copies data into a fixed-size buffer on the stack without performing adequate bounds checking. This allows an attacker to supply an overly large data payload, overwriting adjacent memory regions, including the return address. By controlling the return address, the attacker can redirect program execution to an address of their choosing, typically within the attacker-supplied data, leading to arbitrary code execution. The root cause is a lack of input validation and improper memory management when handling RADIUS accounting requests. The vulnerability resides in the CSRadius service's handling of the RADIUS Accounting-Request packet's attributes, specifically the parsing and processing of the data within those attributes.