(RADIATOR) Radiator crashes from garbage user name input

David Miller dmiller at newportnet.com
Fri Mar 15 10:03:40 CST 2002


Hugh:
         Below is a trace 5 dump of a single request to Radiator with the 
user name of abc%s that crashes Radiator. Afraid it does not show much to 
me, but may to more experienced eyes. One thing that I did notice is the 
'No such user' message is logged to the log file, but not to the SQL 
logger, so the crash comes after the file write and before the insertion 
into the RADLOG table. I tested all other letters of the alphabet after the 
% sign, and only %s will crash the Radiator process. Again, thanks for your 
assistance, and sorry I did not get this to you yesterday.

Regards,
David Miller
System Engineer -- Newport Internet
dmiller at newportnet.com

trace
--------------------------------------------------------
Fri Mar 15 07:46:29 2002: DEBUG: Reading users file /etc/radiator/raddb/users
Fri Mar 15 07:46:29 2002: INFO: Server started: Radiator 2.19 on 
dns2.newportnet.com
Fri Mar 15 07:46:32 2002: DEBUG: Packet dump:
*** Received from 204.250.116.122 port 1044 ....

Packet length = 91
01 33 00 5b 31 32 33 34 35 36 37 38 39 30 31 32
33 34 35 36 01 07 61 62 63 25 73 06 06 00 00 00
02 04 06 cc fa 74 7a 05 06 00 00 04 d2 1e 0b 31
32 33 34 35 36 37 38 39 1f 0b 39 38 37 36 35 34
33 32 31 3d 06 00 00 00 00 02 12 97 e4 31 c8 af
5c 04 f6 bc 38 09 a0 d8 7d 78 99
Code:       Access-Request
Identifier: 51
Authentic:  1234567890123456
Attributes:
         User-Name = "abc%s"
         Service-Type = Framed-User
         NAS-IP-Address = 204.250.116.122
         NAS-Port = 1234
         Called-Station-Id = "123456789"
         Calling-Station-Id = "987654321"
         NAS-Port-Type = Async
         User-Password = 
"<151><228>1<200><175>\<4><246><188>8<9><160><216>}x<153>"

Fri Mar 15 07:46:32 2002: DEBUG: Rewrote user name to abc%s
Fri Mar 15 07:46:32 2002: DEBUG: Rewrote user name to abc%s
Fri Mar 15 07:46:32 2002: DEBUG: Rewrote user name to abc%s
Fri Mar 15 07:46:32 2002: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Fri Mar 15 07:46:32 2002: DEBUG: RadiusSessionDB Deleting session for 
abc%s, 204.250.116.122, 1234
Fri Mar 15 07:46:32 2002: DEBUG: do query is: delete from RADONLINE where 
NASIDENTIFIER = '204.250.116.122' and NASPORT = '01234';

Fri Mar 15 07:46:32 2002: DEBUG: Handling with Radius::AuthSQL
Fri Mar 15 07:46:32 2002: DEBUG: Handling with Radius::AuthSQL
Fri Mar 15 07:46:32 2002: DEBUG: Handling with Radius::AuthFILE: UserFile
Fri Mar 15 07:46:32 2002: DEBUG: Radius::AuthFILE looks for match with abc%s
Fri Mar 15 07:46:32 2002: INFO: Access rejected for abc%s: No such user

-------------------------------------------------------------------------

At 11:26 AM 3/15/02 +1100, Hugh Irvine wrote:

>Hello David -
>
>Further to my previous mail - could you please send me a trace 4 debug from
>Radiator showing what happens?
>
>thanks
>
>Hugh
>
>
>On Fri, 15 Mar 2002 10:25, David Miller wrote:
> > Hi all:
> > I work at a small ISP and we use Radiator (2.19) running on RedHat Linux
> > (7.1) to authenticate dial-up users onto our system. Today for the first
> > time since we started using Radiator it died unexpectedly on the primary
> > and secondary servers. The last line to be logged from each server was the
> > same, a failed login that contained nothing but garbage as the user name
> > (we see these all the time from windows boxes that are in bad need of a
> > reboot). Since the last line in each log was the same I did a little
> > testing with radpwtst and found the following string, when supplied as the
> > user name, will kill Radiator every time in our environment.
> >
> > ~?~?~&fn,uv~?~?~?~?~?~?~?~?~?~?~?~?~?~?~?~?~?~?~?b0%sjgr~?~?~?~
> >
> > This came as quite a surprise as we have been running Radiator here for six
> > months and never experienced even so much as a hiccup. Any light that
> > someone could shed on this would be appreciated. I have started exploring
> > the use of the restartWrapper to restart Radiator in the event of a repeat
> > occurance. Thanks for a great product and superb support.
> >
> > Regards,
> > David Miller
> > System Engineer -- Newport Internet
> > dmiller at newportnet.com
> >
> >
> > config file follows:
> > -------------------------------------------
> > # radius.cfg
> > # Created for use at Newport Internet
> > # Author: David Miller (dmiller at newportnet.com)
> > #
> > # Uses replicated MySql session database on localhost and 10.10.10.18 using
> > # private network address. RADONLINE table must have columns for the
> > # rewritten user name (USERNAME), and user name as supplied by the NAS
> > # (NASUSERNAME).
> > # Uses snmpget program to verify DefaultSimultaneous-Use violations
> > # Uses SNMPAgent clause to allow snmp queries of Radiator server.
> > # Logs accounting packets to the details file, as well as the ACCOUNTING
> > # table of the RADIUS database.
> > # Logs log messages to RADLOG table of RADIUS database.
> > #
> > #=====================
> > # Global Parameters
> > #=====================
> > LogDir /var/log/radius
> > DbDir /etc/radiator/raddb
> >
> > AuthPort 1645
> > AcctPort 1646
> >
> > # User a low trace level in production systems. Increase
> > # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> > Trace 3
> > #Trace 5
> >
> > # Log file, in form of logfile.dd_Mmm_yyy
> > LogFile %L/logfile.%d_%v_%Y
> >
> > # Username Rewrite Rules. Strip off realm name, change to lowercase, and
> > remove # any whitespace.
> > RewriteUsername s/^([^@]+).*/$1/
> > RewriteUsername tr/A-Z/a-z/
> > RewriteUsername s/\s+//g
> >
> > # location of snmpget program
> > SnmpgetProg /usr/bin/snmpget
> >
> > # must define LivingstonHole as 0 to get snmpget to work properly
> > LivingstonHole 0
> >
> > # SNMP Agent -- allow snmp queries of Radiator server
> > <SNMPAgent>
> > ROCommunity xxxxxxx
> > BindAddress 10.10.10.17
> > Managers 10.10.10.122 localhost
> > </SNMPAgent>
> >
> > #===========
> > # Clients
> > #===========
> > <Client aaa.bbb.ccc.ddd>
> > Secret xxxxxx
> > DupInterval 2
> > NasType Portmaster3
> > SNMPCommunity xxxxxx
> > </Client>
> >
> > <Client aaa.bbb.ccc.eee>
> > Secret xxxxxx
> > DupInterval 2
> > NasType Portmaster3
> > SNMPCommunity xxxxxx
> > </Client>
> >
> > <Client aaa.bbb.ccc.fff>
> > Secret xxxxxx
> > DupInterval 2
> > NasType Portmaster3
> > SNMPCommunity xxxxxx
> > </Client>
> >
> > <Client aaa.bbb.ccc.ggg>
> > Secret xxxxxx
> > DupInterval 2
> > NasType Portmaster3
> > SNMPCommunity xxxxxx
> > </Client>
> >
> > #===============
> > # test clients
> > #===============
> > <Client aaa.bbb.ccc.hhh>
> > Secret xxxxxx
> > </Client>
> >
> > <Client 127.0.0.1>
> > Secret xxxxxx
> > </Client>
> >
> > #===============
> > # SQL Logger
> > #===============
> > <Log SQL>
> > Identifier SQLLogger
> > DBSource dbi:mysql:RADIUS
> > DBUsername raduser
> > DBAuth xxxxxx
> >
> > Table RADLOG
> > LogQuery insert into RADLOG (TIME_STAMP, PRIORITY, MESSAGE) \
> > values ('%Y-%m-%d %H:%M:%S', '%1', %2 );
> > Trace 3
> > </Log SQL>
> >
> > #==================
> > # Session Database
> > #==================
> > <SessionDatabase SQL>
> > Identifier RadiusSessionDB
> > # primary (localhost) session database
> > DBSource dbi:mysql:RADIUS
> > DBUsername raduser
> > DBAuth xxxxxx
> >
> > # secondary session database
> > DBSource dbi:mysql:RADIUS:10.10.10.18
> > DBUsername raduser
> > DBAuth xxxxxx
> >
> > AddQuery insert into RADONLINE \
> > (USERNAME, NASUSERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
> > \ ACCTDELAYTIME, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) \
> > values ('%n', '%u', '%N', '0%{NAS-Port}', \
> > '%{Acct-Session-Id}', '%{Timestamp}', \
> > '%{Acct-Delay-Time}', '%{Framed-IP-Address}', \
> > '%{NAS-Port-Type}', '%{Service-Type}');
> >
> > DeleteQuery delete from RADONLINE \
> > where NASIDENTIFIER = '%N' and NASPORT = '0%{NAS-Port}';
> >
> > ClearNasQuery delete from RADONLINE where NASIDENTIFIER = '%N';
> >
> > CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from RADONLINE \
> > where USERNAME = '%n';
> > </SessionDatabase SQL>
> >
> > #==================
> > # AuthBy clauses
> > #==================
> > <AuthBy SQL>
> > Identifier SQLAccountingStarts
> > DBSource dbi:mysql:RADIUS
> > DBUsername raduser
> > DBAuth xxxxxx
> >
> > # empty AuthSelect clause, no authentication
> > AuthSelect
> > # we only want starts
> > AccountingStartsOnly
> >
> > #Accounting table definition
> > AccountingTable ACCOUNTING
> > AcctColumnDef USERNAME, User-Name
> > AcctColumnDef TIME_STAMP, Timestamp, integer
> > AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
> > AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time, integer
> > AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets, integer
> > AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets, integer
> > AcctColumnDef ACCTSESSIONID, Acct-Session-Id
> > AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time, integer
> > AcctColumnDef ACCTTERMINATECAUSE, Acct-Terminate-Cause, integer
> > AcctColumnDef NASIDENTIFIER, NAS-IP-Address
> > AcctColumnDef NASPORT, NAS-Port, integer
> > AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
> > </AuthBy>
> >
> > <AuthBy SQL>
> > Identifier SQLAccountingStops
> > DBSource dbi:mysql:RADIUS
> > DBUsername raduser
> > DBAuth xxxxxx
> >
> > # empty AuthSelect clause, no authentication
> > AuthSelect
> >
> > # we only want stop packets
> > AccountingStopsOnly
> >
> > #Accounting table definition
> > AccountingTable ACCOUNTING
> > AcctColumnDef USERNAME, User-Name
> > AcctColumnDef TIME_STAMP, Timestamp, integer
> > AcctColumnDef ACCTSTATUSTYPE, Acct-Status-Type
> > AcctColumnDef ACCTDELAYTIME, Acct-Delay-Time, integer
> > AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets, integer
> > AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets, integer
> > AcctColumnDef ACCTSESSIONID, Acct-Session-Id
> > AcctColumnDef ACCTSESSIONTIME, Acct-Session-Time, integer
> > AcctColumnDef ACCTTERMINATECAUSE, Acct-Terminate-Cause, integer
> > AcctColumnDef NASIDENTIFIER, NAS-IP-Address
> > AcctColumnDef NASPORT, NAS-Port, integer
> > AcctColumnDef FRAMEDIPADDRESS, Framed-IP-Address
> >
> > # AcctSQL Statements
> > </AuthBy>
> >
> > <AuthBy FILE>
> > Identifier UserFile
> > Filename %D/users
> > CaseInsensitivePasswords # passwords case insensitive
> > DefaultSimultaneousUse 1 # Can be overridden on a per user basis.
> > </AuthBy>
> >
> > #==================
> > # Realms
> > #==================
> > <Realm DEFAULT>
> > # Session Database to use
> > SessionDatabase RadiusSessionDB
> >
> > # AuthBy Policy -- we continue always
> > AuthByPolicy ContinueAlways
> >
> > AuthBy SQLAccountingStarts
> > AuthBy SQLAccountingStops
> > AuthBy UserFile
> >
> > # Log accounting to a detail file
> > # Detail filename in form of detail.dd_Mmm_yyy
> > AcctLogFileName %L/detail.%d_%v_%Y
> > </Realm>
> >
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
>--
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>-
>Nets: internetwork inventory and management - graphical, extensible,
>flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list