2013-01-21 - [GRASE-Hotspot] Security Fix - Important - All versions before 3.7.7.6

Header Data

From: Tim White <ti***8@gmail.com>
Message Hash: 45bb79c836bbdd21d694cc2537097125284c846f16af3acaf2556d3b89aa6ec3
Message ID: <50FE1DC0.6030605@gmail.com>
Reply To: N/A
UTC Datetime: 2013-01-21 22:04:00 UTC
Raw Date: Tue, 22 Jan 2013 15:04:00 +1000

Raw message

Hey Everyone.

A very important security issue has been identified. It doesn't pose a 
security risk to the machine the grase is running on, it can however 
allow an unauthorised user to have unlimited access to the internet.
Version 3.7.7.6 has been pushed to the dev branch for those who are 
currently testing the next release. Assuming no other issues are 
reported in the next week or so, this will be released as 3.7.8 shortly.

If you are wanting to fix your install without doing any updates, you 
can simply login to the terminal, then login into the MySQL console 
(you'll need to use the root(mysql) user most likely), and then execute 
the following SQL command
update radcheck set op='==' where Value='Administrative-User';

So a quick tutorial, assuming you know the root mysql users password, 
and with some cruft edited out.

$ mysql -u root -p radius
Enter password:

mysql> update radcheck set op='==' where Value='Administrative-User';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0


And that's it. If you are wondering how to exploit this fix, just have a 
poke around in the radcheck table and you'll see what we've changed.

Tim

Thread

• Return to January 2013

• Return to “Tim White <ti***8@gmail.com>”

• 2013-01-21 (Tue, 22 Jan 2013 15:04:00 +1000) - [GRASE-Hotspot] Security Fix - Important - All versions before 3.7.7.6 - Tim White <ti***8@gmail.com>