(RADIATOR) Username/Password hacking while using AuthBy SQL

Rodrigo Nuno Bragança da Cunha rodrigo.cunha at corp.vodafone.pt
Tue Dec 9 06:24:48 CST 2003 

Hugh Irvine wrote:

>
> Hello Rodrigo -
>
> You can use the UsernameCharset parameter to restrict the characters 
> in the username.
>
> See section 6.4.30 in the Radiator 3.7.1 reference manual.
>
> As far as the password is concerned, this field is only read from the 
> database and the comparison is done inside Radiator.
>
Well... it works, but is not enought. Won't work for SQL logging, for 
instance.

Also I need the password in the SQL query itself because there can be 
various active and valid sessions for the same username, and a query 
without password might return many valid sessions. So the password is 
exploitable also. Perhaps a "PasswordCharset" clause would work :-)

The Charset should apply to auth logging also, right?

I'm sending the configuration file. It works fine as is, except with 
malicious username/passwords ...

> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
Here goes the trace, including the SQL syntax errors, witch could be 
exploited.

Thanks for the help!

Tue Dec  9 12:08:22 2003: DEBUG: Finished reading configuration file 
'/home/radius/Radiator-3.7.1/goodies/vpn3000-test00.cfg'
Tue Dec  9 12:08:22 2003: DEBUG: Reading dictionary file 
'/home/radius/Radiator-3.7.1/dictionary'
Tue Dec  9 12:08:22 2003: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Dec  9 12:08:22 2003: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Dec  9 12:08:22 2003: NOTICE: Server started: Radiator 3.7.1 on 
radius-vpn.vf-pt.internal.vodafone.com
Tue Dec  9 12:08:25 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32784 ....
Code:       Access-Request
Identifier: 10
Authentic:  1234567890123456
Attributes:
        User-Name = "norte'gregwe"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = 
"<158><238>-<202><216>;<4><246><188>8<9><160><216>}x<153>"

Tue Dec  9 12:08:25 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Dec  9 12:08:25 2003: INFO: Access rejected for norte'gregwe: 
Invalid character in User-Name
Tue Dec  9 12:08:25 2003: DEBUG: do query is: 'INSERT   INTO accountlog 
( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, 
comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for 
username norte'gregwe' )':

DBD::mysql::db do failed: You have an error in your SQL syntax near 
'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
Tue Dec  9 12:08:25 2003: ERR: do failed for 'INSERT    INTO accountlog 
( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, 
comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for 
username norte'gregwe' )': You have an error in your SQL syntax near 
'gregwe' )' at line 1
DBD::mysql::db do failed: You have an error in your SQL syntax near 
'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
Tue Dec  9 12:08:25 2003: ERR: do failed for 'INSERT    INTO accountlog 
( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, 
comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for 
username norte'gregwe' )': You have an error in your SQL syntax near 
'gregwe' )' at line 1
Tue Dec  9 12:08:25 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32784 ....
Code:       Access-Reject
Identifier: 10
Authentic:  1234567890123456
Attributes:
        Reply-Message = "Request Denied"

Tue Dec  9 12:08:25 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32784 ....
Code:       Accounting-Request
Identifier: 11
Authentic:  <201>T'<190><194><144><135>CW(<239><150>=~*m
Attributes:
        User-Name = "norte'gregwe"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Start
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        Acct-Delay-Time = 0

Tue Dec  9 12:08:25 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Dec  9 12:08:30 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32784 ....
Code:       Accounting-Request
Identifier: 12
Authentic:  u|<216>d<156><134><5>x<236>w<220>A<238>P<240>f
Attributes:
        User-Name = "norte'gregwe"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        Acct-Session-Id = "00001234"
        Acct-Status-Type = Stop
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        Acct-Delay-Time = 0
        Acct-Session-Time = 1000
        Acct-Input-Octets = 20000
        Acct-Output-Octets = 30000

Tue Dec  9 12:08:30 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vvvv
URL: <http://www.open.com.au/pipermail/radiator/attachments/20031209/2f02a402/attachment.ksh>

More information about the radiator mailing list