radius dialup DoS


From prj@NLS.NET Sun Mar  8 00:26:41 1998
From: "Phillip R. Jaenke" 
X-Sender: prj@vmlinuz
To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 20 Feb 1998 21:02:53 -0500
Subject: Serious bug in "radius" dialup authentication software

At work, we've discovered a *SERIOUS* bug in the "radius" dialup
authentication software.

Affected Platforms:
WindowsNT (RadiusNT)
Linux
Solaris (x86)
BSDi
NetBSD
OpenBSD
FreeBSD

Problem:
If a user appends a certain amount of spaces after their username, Radius
will crash, keeping users from logging in. We have been unable to
determine the number of spaces, but it is above 5, and below the 'magic
128' as we call it. I'd estimate it at around 32 spaces.

Effects:
100% of the time, Radius will crash. All platforms are affected. Multiple
servers do not negate these effects, as most terminal servers, when the
primary radius authentication server is not there, will switch over to the
next one, which will get the same username, and crash, locking all
customers out. This appears to affect ALL platforms, be it WindowsNT or a
form of unix. It appears to be a bug in radius itself.

A coworker has contacted the radius mailing lists. As soon as a fix is
known, I will post it here.

--Phillip R. Jaenke (prj@raex.com | prj@nls.net)
Primary Developer, The Improvement Linux Project
Core Team Member, The Cyberian RC5 Effort - http://www.cyberian.org/
AKA Kaeyerai (Rediscovery) of MasterTechnoMonster
Ketyra Designs, Inc. - Imagine Transmeta sans Linus. That's us. :)

=-=

From prj@NS2.NLS.NET Sun Mar  8 00:27:07 1998
From: "Phillip R. Jaenke" 
To: BUGTRAQ@NETSPACE.ORG
Date: Sat, 21 Feb 1998 13:01:09 +0100
Subject: Quick update on Radius bug

Just counted the spaces.

The magic number here was 40.

-prj

-Ed Kuchar  (InterNIC Handle: EK113)  [ekuchar@NLS.NET]
NetLink Services, Inc. 216.468.5100(Cleveland) - 330.940.2700(Akron)
sales@nls.net - http://www.nls.net - http://www.getinfo.net
Serving: Cleveland, Akron, Medina, & Geauga County

=-=

From aleph1@DFW.NET Sun Mar  8 00:27:40 1998
From: Aleph One 
To: BUGTRAQ@NETSPACE.ORG
Date: Sun, 22 Feb 1998 13:07:55 -0600
Subject: RADIUS (Summary)

This is a summary of reports about the radius vulnerability that
Phillip R. Jaenke reported. Giving the large number of people that
have reported that they are not vulnerable I must wonder what is
unique in Phillip's environment that is causing this. Only one person
reported Merit RADIUS being vulnerable and that has not been
confirmed yet.

So far reported not vulnerable:

Merit 2.4.23C,
Livingston RADIUS  2.0.1 97/5/22
Livingstons RADIUS 2.01
Perl RADIUS module
MacRADIUS
ESVA Radius

Reported vulnerable:

Livingston 1.16 to 2.01 (Phillip R. Jaenke)
RadiusNT v2.x (Phillip R. Jaenke)
merit radius 2.4.23C (jbeley@puma.sirinet.net)

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

=-=

From dbs@HOM.NET Sun Mar  8 00:27:51 1998
From: Dave Stewart 
X-Sender: dbs@pop.hom.net
To: BUGTRAQ@NETSPACE.ORG
Date: Sun, 22 Feb 1998 17:04:06 -0500
Subject: Re: RADIUS (Summary)

At 01:07 PM 2/22/98 -0600, Aleph One wrote:
>This is a summary of reports about the radius vulnerability that
>Phillip R. Jaenke reported. Giving the large number of people that
>have reported that they are not vulnerable I must wonder what is
>unique in Phillip's environment that is causing this. Only one person
>reported Merit RADIUS being vulnerable and that has not been
>confirmed yet.
>
>So far reported not vulnerable:
>
>Merit 2.4.23C,
>Livingston RADIUS  2.0.1 97/5/22
>Livingstons RADIUS 2.01
>Perl RADIUS module
>MacRADIUS
>ESVA Radius
>
>Reported vulnerable:
>
>Livingston 1.16 to 2.01 (Phillip R. Jaenke)
>RadiusNT v2.x (Phillip R. Jaenke)
>merit radius 2.4.23C (jbeley@puma.sirinet.net)

To explain further -

Any RADIUS that's based on Livingston RADIUS 2.0 and higher should be
checking for a space in the username, and automatically rejecting the login
attempt.

I'm running Livingston RADIUS 2.01 under Solaris 2.4 (on a Sparc 10) and
under Solaris 2.5 on a Sparc 2.  ANY username containing a space causes the
daemon to send a reject to the terminal server.

I've tried to recreate Phillip's bug report from my Cisco 2511 terminal
servers and my Portmaster 3 terminal servers - I can't do it.  No matter
how many spaces I include anywhere in the username, the RADIUS daemon
behaves exactly as expected and returns a reject to the terminal server,
while logging the reject and indicating that it found a space in the username.

I'm with Aleph One on this one... there simply must be something else in
the environment that's causing the daemon to crash.


Dave Stewart
System Manager
Homenet Communications, Inc.
==========================================================
PGP Public Key located at:

http://www.hom.net/~dbs/dbspub.txt
Or the MIT Public key server
==========================================================
Mirabilis ICQ UIN - 4982852

=-=

From thom@ESVA.NET Sun Mar  8 00:28:53 1998
From: Thom Henderson 
To: BUGTRAQ@NETSPACE.ORG
Date: Sun, 22 Feb 1998 10:39:36 -0500
Subject: Re: Serious bug in "radius" dialup authentication software

On Sat, 21 Feb 1998, Phillip R. Jaenke wrote:

> So far, tested servers are:
> Livingston 1.16 to 2.01
> RadiusNT v2.x
> Merit
>
> So far, the only one NOT vulnerable is Merit. Cistron is untested, so I've
> got not idea whether or not it is. Best way to test is to telnet to a
> terminal server, and login with a valid username, with 40 or more spaces
> after it.

This problem should be non-fatal as long as you are NOT using the "-s"
option.  The process that was forked off to handle the offending name will
die causing that one login attempt to fail, but radiusd should continue to
run.

At least, that's what happens with ESVAnet radiusd.

Note: When tested with the Livingston Portmaster 2, you cannot simply
telnet to the NAS to test this.  It is necessary to dial in.

I'll take a look at the code Monday morning, but this doesn't look to me
like anything to worry about.  At least, not as long as you don't use
single-threaded mode.

=-=

From thom@ESVA.NET Sun Mar  8 00:29:58 1998
From: Thom Henderson 
To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 27 Feb 1998 11:01:13 -0500
Subject: Re: Serious bug in "radius" dialup authentication software

A note from the author of the ESVAnet variation of Livingston radiusd:

On Sun, 22 Feb 1998, Thom Henderson wrote:

> This problem should be non-fatal as long as you are NOT using the "-s"
> option.  The process that was forked off to handle the offending name will
> die causing that one login attempt to fail, but radiusd should continue to
> run.
>
> At least, that's what happens with ESVAnet radiusd.

Correction.  That is what *appears* to happen, but it's not what is really
happening.  At least, not here.

On further investigation it appears that radiusd.esva is working properly
and is not subject to this bug.

When tested with an account whose user service is an "rlogin" session to a
BSD/OS 2.1 host, the BSD/OS host fails to initiate the rlogin session.
During the initial "quick check" to see if we had this bug, the results
appeared to match the behaviour of the bug, but on deeper investigation it
is apparent that radiusd.esva is NOT hanging, and IS authenticating the
session properly.

When tested with an account whose user service type is PPP, everything
works normally.

I would suggest retesting other versions to ensure that something similar
isn't happening.  Otherwise, I suspect that the problem is either:

a) Fixed by the recent bug fix patch released by Livingston, or

2) Located in user_find() in users.c.  I surmise this because the only
change I made that would relate at all to this problem is that we found a
need to trim trailing spaces because of WebTV customers.