(RADIATOR) Username/Password hacking while using AuthBy SQL
Frank Danielson
fdanielson at csky.com
Wed Dec 10 14:43:37 CST 2003
Rodrigo-
If I understand you correctly, you are concerned that someone may insert
some characters or even SQL statements into the password in order to launch
some sort of attack against your database. I think the root of your issue is
the fact that you want to include the password in the queries, that opens up
any number of potential security issues including the one you have described
here.
Lots of people use Radiator and allow users to have more than one session.
Maybe if you described in more detail exactly what you are trying to
accomplish by including the password in the query someone on the list might
have in interesting solution. If you have an end user that is using CHAP
authentication they are never going to send the password to you so it would
be impossible to use it in a query. If you are plugging potential security
loopholes I'm sure you are not letting people authenticate using PAP are
you?
Of course you could always do your own password character set checking in a
hook before sending the query out if you are so inclined.
-Frank
-----Original Message-----
From: Rodrigo Nuno Bragança da Cunha
[mailto:rodrigo.cunha at corp.vodafone.pt]
Sent: Tuesday, December 09, 2003 7:25 AM
To: radiator at open.com.au
Subject: Re: (RADIATOR) Username/Password hacking while using AuthBy SQL
Hugh Irvine wrote:
>
> Hello Rodrigo -
>
> You can use the UsernameCharset parameter to restrict the characters
> in the username.
>
> See section 6.4.30 in the Radiator 3.7.1 reference manual.
>
> As far as the password is concerned, this field is only read from the
> database and the comparison is done inside Radiator.
>
Well... it works, but is not enought. Won't work for SQL logging, for
instance.
Also I need the password in the SQL query itself because there can be
various active and valid sessions for the same username, and a query
without password might return many valid sessions. So the password is
exploitable also. Perhaps a "PasswordCharset" clause would work :-)
The Charset should apply to auth logging also, right?
I'm sending the configuration file. It works fine as is, except with
malicious username/passwords ...
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
Here goes the trace, including the SQL syntax errors, witch could be
exploited.
Thanks for the help!
Tue Dec 9 12:08:22 2003: DEBUG: Finished reading configuration file
'/home/radius/Radiator-3.7.1/goodies/vpn3000-test00.cfg'
Tue Dec 9 12:08:22 2003: DEBUG: Reading dictionary file
'/home/radius/Radiator-3.7.1/dictionary'
Tue Dec 9 12:08:22 2003: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Dec 9 12:08:22 2003: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Dec 9 12:08:22 2003: NOTICE: Server started: Radiator 3.7.1 on
radius-vpn.vf-pt.internal.vodafone.com
Tue Dec 9 12:08:25 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32784 ....
Code: Access-Request
Identifier: 10
Authentic: 1234567890123456
Attributes:
User-Name = "norte'gregwe"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
"<158><238>-<202><216>;<4><246><188>8<9><160><216>}x<153>"
Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Dec 9 12:08:25 2003: INFO: Access rejected for norte'gregwe:
Invalid character in User-Name
Tue Dec 9 12:08:25 2003: DEBUG: do query is: 'INSERT INTO accountlog
( id, idsession, timestamp, authaccountQ, authsuccessQ, duration,
comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for
username norte'gregwe' )':
DBD::mysql::db do failed: You have an error in your SQL syntax near
'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO accountlog
( id, idsession, timestamp, authaccountQ, authsuccessQ, duration,
comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for
username norte'gregwe' )': You have an error in your SQL syntax near
'gregwe' )' at line 1
DBD::mysql::db do failed: You have an error in your SQL syntax near
'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO accountlog
( id, idsession, timestamp, authaccountQ, authsuccessQ, duration,
comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for
username norte'gregwe' )': You have an error in your SQL syntax near
'gregwe' )' at line 1
Tue Dec 9 12:08:25 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32784 ....
Code: Access-Reject
Identifier: 10
Authentic: 1234567890123456
Attributes:
Reply-Message = "Request Denied"
Tue Dec 9 12:08:25 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32784 ....
Code: Accounting-Request
Identifier: 11
Authentic: <201>T'<190><194><144><135>CW(<239><150>=~*m
Attributes:
User-Name = "norte'gregwe"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Start
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Dec 9 12:08:30 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32784 ....
Code: Accounting-Request
Identifier: 12
Authentic: u|<216>d<156><134><5>x<236>w<220>A<238>P<240>f
Attributes:
User-Name = "norte'gregwe"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = "00001234"
Acct-Status-Type = Stop
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 20000
Acct-Output-Octets = 30000
Tue Dec 9 12:08:30 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list