Ascend's radius is affected, and specifically mentioned.... -JoE Secure Networks Inc. wrote: ]From owner-bugtraq@NETSPACE.ORG Wed Dec 17 14:45:14 1997 ]Approved-By: aleph1@UNDERGROUND.ORG ]MIME-Version: 1.0 ]Content-Type: TEXT/PLAIN; charset=US-ASCII ]Message-ID: <Pine.BSI.3.96.971217113536.6251A-100000@silence.secnet.com> ]Date: Wed, 17 Dec 1997 11:37:46 -0700 ]Reply-To: "Secure Networks Inc." <sni@SECURENETWORKS.COM> ]Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG> ]From: "Secure Networks Inc." <sni@SECURENETWORKS.COM> ]Subject: SNI-22: RADIUS Advisory ]To: BUGTRAQ@NETSPACE.ORG ] ]-----BEGIN PGP SIGNED MESSAGE----- ] ] ###### ## ## ###### ] ## ### ## ## ] ###### ## # ## ## ] ## ## ### ## ] ###### . ## ## . ######. ] ] Secure Networks Inc. ] ] Security Advisory ] December 17, 1997 ] ] Remote Vulnerability in RADIUS Servers Derived from Livingston 1.16. ] ] ]This advisory details vulnerabilities in RADIUS server software derived ]from Livingston RADIUS 1.x allow remote attacks to gain extended access ]to the authentication server. In many installations of RADIUS, ]exploitation of this vulnerability will allow an intruder to remotely ]obtain superuser access to the machine running the RADIUS server. In ]all cases, the extended access gained allows an attacker to subvert ]RADIUS authentication. ] ]This vulnerability was discovered in Livingston RADIUS 1.16, a popular ]publically-available RADIUS server implementation. Another popular ]RADIUS implementation is provided by Ascend Communications; Ascend ]RADIUS, based on the Livingston 1.16 implementation, is very similar ]to the Livingston code and shares the same bugs. ] ]Merit RADIUS was not determined to be vulnerable to the specific problem ]outlined in detail in this document. However, Merit RADIUS has not ]been audited and Secure Networks Inc. makes no assertions as to it's ]security. ] ] ]Problem Description: ]~~~~~~~~~~~~~~~~~~~~ ] ]An exploitable stack overrun is present in the RADIUS accounting code in ]Livingston RADIUS 1.16. The problem occurs as a result of inverse ]resolution of IP addresses to hostnames; the accounting routine ]rad_accounting() copies the resolved hostname to a buffer on it's stack, ]without checking the length of the hostname first. ] ]As a result of this bug, an attacker that controls the DNS server for any ]IP address can configure the records for that address to resolve to a ]name too large for the RADIUS server's buffer; the characters in the ]hostname, which overwrites the server's stack, can contain machine ]code that the server will be forced to execute. ] ]It is important to note that the RADIUS server request authentication ](which, in some cases, involves packet signatures with keyed MD5 hashes) ]does not prevent this attack. The source IP address on RADIUS accounting ]requests is not checked by the server code before the error occurs. ] ]It is also important to note that this is not the only point in the RADIUS ]code where hostname resolution can be exploited to subvert the server; ]unchecked string copies are common throughout the RADIUS code. Livingston ]has integrated a series of patches (written by SNI) to address this ]problem. See the 'Fix Resolution' section. ] ] ]Vulnerable Systems: ]~~~~~~~~~~~~~~~~~~~ ] ]All RADIUS servers based off of Livingston's 1.16 RADIUS server. ]Livingston RADIUS servers 2.0, 2.0.1 are not vulnerable. ] ] ]Fix Resolution: ]~~~~~~~~~~~~~~~ ]As mentioned earlier, Livinsgston's RADIUS 2.0, 2.0.1 are not vulnerable ]to this problem. Any Livingston customer may upgrade to 2.0.1 at: ] ]<A HREF="http://www.livingston.com/Forms/radiusform.cgi">http://www.livingston.com/Forms/radiusform.cgi</A> ] ]RADIUS 1.16.1 with SNI patches is also available at: ] ]<A HREF="ftp://ftp.livingston.com/pub/le/radius/radius-1.16.1.tar.Z">ftp://ftp.livingston.com/pub/le/radius/radius-1.16.1.tar.Z</A> ] ]Ascend could not be contacted for an approved fix. As the source ]code for Ascend RADIUS is freely available, an attempt has been made ]to correct all obvious stack overruns in the code; Ascend has in no ]way examined or approved these fixes. ] ]You may obtain this patchfile at: ] ]<A HREF="ftp://ftp.secnet.com/pub/patches/radius.patch">ftp://ftp.secnet.com/pub/patches/radius.patch</A> ] ]As this advisory involves a general problem with the RADIUS source code, ]we advise organizations running RADIUS servers to contact their vendor to ]confirm the vulnerability status of their RADIUS server. ] ] ]Additional Information ]~~~~~~~~~~~~~~~~~~~~~~ ] ]Secure Networks, Inc. would like to thank Brian Mitchell for his ]original notification to the security community regarding problems in ]the Livingston RADIUS code. SNI would also like to thank Carl Rigney ]of Livingston for his attention to this matter. ] ]For more information regarding this advisory, contact Secure Networks ]Inc. as <sni@secnet.com>. A PGP public key is provided below if ]privacy is required. ] ]Copyright Notice ]~~~~~~~~~~~~~~~~ ]The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, ]and may be distributed freely provided that no fee is charged for ]distribution, and that proper credit is given. ] ] You can find Secure Networks papers at <A HREF="ftp://ftp.secnet.com/pub/papers">ftp://ftp.secnet.com/pub/papers</A> ] and advisories at <A HREF="ftp://ftp.secnet.com/advisories">ftp://ftp.secnet.com/advisories</A> ] ] You can browse our web site at <A HREF="http://www.secnet.com">http://www.secnet.com</A> ] ] You can subscribe to our security advisory mailing list by sending mail to ] majordomo@secnet.com with the line "subscribe sni-advisories" ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request@bungi.com To get FAQ'd: <<A HREF="http://www.nealis.net/ascend/faq">http://www.nealis.net/ascend/faq</A>> </PRE> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <!--X-Follow-Ups-End--> <!--X-References--> <!--X-References-End--> <!--X-BotPNI--> <HR> <UL> <LI>Prev by Date: <STRONG><A HREF="msg11879.html">(ASCEND) Radius Attribute</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg11876.html">Re: (ASCEND) Ascend 4048 probe to dialups</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg11781.html">Re: (ASCEND) SNI-22: RADIUS Advisory (fwd)</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg11881.html">Re: (ASCEND) SNI-22: RADIUS Advisory (fwd)</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="maillist.html#11878"><STRONG>Main</STRONG></A></LI> <LI><A HREF="thrd281.html#11878"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> </BODY> </HTML>