SNI-22: RADIUS Advisory

Secure Networks Inc. (sni@SECURENETWORKS.COM)
Wed, 17 Dec 1997 11:37:46 -0700

-----BEGIN PGP SIGNED MESSAGE-----

###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.

Secure Networks Inc.

Security Advisory
December 17, 1997

Remote Vulnerability in RADIUS Servers Derived from Livingston 1.16.

This advisory details vulnerabilities in RADIUS server software derived
from Livingston RADIUS 1.x allow remote attacks to gain extended access
to the authentication server. In many installations of RADIUS,
exploitation of this vulnerability will allow an intruder to remotely
obtain superuser access to the machine running the RADIUS server. In
all cases, the extended access gained allows an attacker to subvert
RADIUS authentication.

This vulnerability was discovered in Livingston RADIUS 1.16, a popular
publically-available RADIUS server implementation. Another popular
RADIUS implementation is provided by Ascend Communications; Ascend
RADIUS, based on the Livingston 1.16 implementation, is very similar
to the Livingston code and shares the same bugs.

Merit RADIUS was not determined to be vulnerable to the specific problem
outlined in detail in this document. However, Merit RADIUS has not
been audited and Secure Networks Inc. makes no assertions as to it's
security.

Problem Description:
~~~~~~~~~~~~~~~~~~~~

An exploitable stack overrun is present in the RADIUS accounting code in
Livingston RADIUS 1.16. The problem occurs as a result of inverse
resolution of IP addresses to hostnames; the accounting routine
rad_accounting() copies the resolved hostname to a buffer on it's stack,
without checking the length of the hostname first.

As a result of this bug, an attacker that controls the DNS server for any
IP address can configure the records for that address to resolve to a
name too large for the RADIUS server's buffer; the characters in the
hostname, which overwrites the server's stack, can contain machine
code that the server will be forced to execute.

It is important to note that the RADIUS server request authentication
(which, in some cases, involves packet signatures with keyed MD5 hashes)
does not prevent this attack. The source IP address on RADIUS accounting
requests is not checked by the server code before the error occurs.

It is also important to note that this is not the only point in the RADIUS
code where hostname resolution can be exploited to subvert the server;
unchecked string copies are common throughout the RADIUS code. Livingston
has integrated a series of patches (written by SNI) to address this
problem. See the 'Fix Resolution' section.

Vulnerable Systems:
~~~~~~~~~~~~~~~~~~~

All RADIUS servers based off of Livingston's 1.16 RADIUS server.
Livingston RADIUS servers 2.0, 2.0.1 are not vulnerable.

Fix Resolution:
~~~~~~~~~~~~~~~
As mentioned earlier, Livinsgston's RADIUS 2.0, 2.0.1 are not vulnerable
to this problem. Any Livingston customer may upgrade to 2.0.1 at:

http://www.livingston.com/Forms/radiusform.cgi

RADIUS 1.16.1 with SNI patches is also available at:

ftp://ftp.livingston.com/pub/le/radius/radius-1.16.1.tar.Z

Ascend could not be contacted for an approved fix. As the source
code for Ascend RADIUS is freely available, an attempt has been made
to correct all obvious stack overruns in the code; Ascend has in no
way examined or approved these fixes.

You may obtain this patchfile at:

ftp://ftp.secnet.com/pub/patches/radius.patch

As this advisory involves a general problem with the RADIUS source code,
we advise organizations running RADIUS servers to contact their vendor to
confirm the vulnerability status of their RADIUS server.

Additional Information
~~~~~~~~~~~~~~~~~~~~~~

Secure Networks, Inc. would like to thank Brian Mitchell for his
original notification to the security community regarding problems in
the Livingston RADIUS code. SNI would also like to thank Carl Rigney
of Livingston for his attention to this matter.

For more information regarding this advisory, contact Secure Networks
Inc. as <sni@secnet.com>. A PGP public key is provided below if
privacy is required.

Type Bits/KeyID Date User ID
pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
Secure Networks <security@secnet.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- -----END PGP PUBLIC KEY BLOCK-----

Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories

You can browse our web site at http://www.secnet.com

You can subscribe to our security advisory mailing list by sending mail to
majordomo@secnet.com with the line "subscribe sni-advisories"

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCUAwUBNJgc67gIhFKeVQANAQFP3QP4olaaL2eWY+H9iZkPv/p+JikfR75mtOmI
jXYcv4bgg9lYu3TFS/QoA91b8TYIcLyfTFWiAtEbTNAIvi76ofw9SFwP4J7YRqSf
eQzrQXbyqW4WYJtk3pRm7aGQ3+X6o3Erq3anUJ8pJyE4e5A7qmYZKp9vSECHmoPV
I1ys8i7zvg==
=MFnD
-----END PGP SIGNATURE-----