Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(ASCEND) SNI-22: RADIUS Advisory (fwd)
I apologize if this is not an appropriate thing to post to this list,
or if it has already been posted (I just subscribed to the list a couple
of days ago)....
Ascend's radius is affected, and specifically mentioned....
-JoE
Secure Networks Inc. wrote:
]From owner-bugtraq@NETSPACE.ORG Wed Dec 17 14:45:14 1997
]Approved-By: aleph1@UNDERGROUND.ORG
]MIME-Version: 1.0
]Content-Type: TEXT/PLAIN; charset=US-ASCII
]Message-ID: <Pine.BSI.3.96.971217113536.6251A-100000@silence.secnet.com>
]Date: Wed, 17 Dec 1997 11:37:46 -0700
]Reply-To: "Secure Networks Inc." <sni@SECURENETWORKS.COM>
]Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
]From: "Secure Networks Inc." <sni@SECURENETWORKS.COM>
]Subject: SNI-22: RADIUS Advisory
]To: BUGTRAQ@NETSPACE.ORG
]
]-----BEGIN PGP SIGNED MESSAGE-----
]
] ###### ## ## ######
] ## ### ## ##
] ###### ## # ## ##
] ## ## ### ##
] ###### . ## ## . ######.
]
] Secure Networks Inc.
]
] Security Advisory
] December 17, 1997
]
] Remote Vulnerability in RADIUS Servers Derived from Livingston 1.16.
]
]
]This advisory details vulnerabilities in RADIUS server software derived
]from Livingston RADIUS 1.x allow remote attacks to gain extended access
]to the authentication server. In many installations of RADIUS,
]exploitation of this vulnerability will allow an intruder to remotely
]obtain superuser access to the machine running the RADIUS server. In
]all cases, the extended access gained allows an attacker to subvert
]RADIUS authentication.
]
]This vulnerability was discovered in Livingston RADIUS 1.16, a popular
]publically-available RADIUS server implementation. Another popular
]RADIUS implementation is provided by Ascend Communications; Ascend
]RADIUS, based on the Livingston 1.16 implementation, is very similar
]to the Livingston code and shares the same bugs.
]
]Merit RADIUS was not determined to be vulnerable to the specific problem
]outlined in detail in this document. However, Merit RADIUS has not
]been audited and Secure Networks Inc. makes no assertions as to it's
]security.
]
]
]Problem Description:
]~~~~~~~~~~~~~~~~~~~~
]
]An exploitable stack overrun is present in the RADIUS accounting code in
]Livingston RADIUS 1.16. The problem occurs as a result of inverse
]resolution of IP addresses to hostnames; the accounting routine
]rad_accounting() copies the resolved hostname to a buffer on it's stack,
]without checking the length of the hostname first.
]
]As a result of this bug, an attacker that controls the DNS server for any
]IP address can configure the records for that address to resolve to a
]name too large for the RADIUS server's buffer; the characters in the
]hostname, which overwrites the server's stack, can contain machine
]code that the server will be forced to execute.
]
]It is important to note that the RADIUS server request authentication
](which, in some cases, involves packet signatures with keyed MD5 hashes)
]does not prevent this attack. The source IP address on RADIUS accounting
]requests is not checked by the server code before the error occurs.
]
]It is also important to note that this is not the only point in the RADIUS
]code where hostname resolution can be exploited to subvert the server;
]unchecked string copies are common throughout the RADIUS code. Livingston
]has integrated a series of patches (written by SNI) to address this
]problem. See the 'Fix Resolution' section.
]
]
]Vulnerable Systems:
]~~~~~~~~~~~~~~~~~~~
]
]All RADIUS servers based off of Livingston's 1.16 RADIUS server.
]Livingston RADIUS servers 2.0, 2.0.1 are not vulnerable.
]
]
]Fix Resolution:
]~~~~~~~~~~~~~~~
]As mentioned earlier, Livinsgston's RADIUS 2.0, 2.0.1 are not vulnerable
]to this problem. Any Livingston customer may upgrade to 2.0.1 at:
]
]http://www.livingston.com/Forms/radiusform.cgi
]
]RADIUS 1.16.1 with SNI patches is also available at:
]
]ftp://ftp.livingston.com/pub/le/radius/radius-1.16.1.tar.Z
]
]Ascend could not be contacted for an approved fix. As the source
]code for Ascend RADIUS is freely available, an attempt has been made
]to correct all obvious stack overruns in the code; Ascend has in no
]way examined or approved these fixes.
]
]You may obtain this patchfile at:
]
]ftp://ftp.secnet.com/pub/patches/radius.patch
]
]As this advisory involves a general problem with the RADIUS source code,
]we advise organizations running RADIUS servers to contact their vendor to
]confirm the vulnerability status of their RADIUS server.
]
]
]Additional Information
]~~~~~~~~~~~~~~~~~~~~~~
]
]Secure Networks, Inc. would like to thank Brian Mitchell for his
]original notification to the security community regarding problems in
]the Livingston RADIUS code. SNI would also like to thank Carl Rigney
]of Livingston for his attention to this matter.
]
]For more information regarding this advisory, contact Secure Networks
]Inc. as <sni@secnet.com>. A PGP public key is provided below if
]privacy is required.
]
]Copyright Notice
]~~~~~~~~~~~~~~~~
]The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
]and may be distributed freely provided that no fee is charged for
]distribution, and that proper credit is given.
]
] You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
] and advisories at ftp://ftp.secnet.com/advisories
]
] You can browse our web site at http://www.secnet.com
]
] You can subscribe to our security advisory mailing list by sending mail to
] majordomo@secnet.com with the line "subscribe sni-advisories"
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>