(RADIATOR) Username/Password hacking while using AuthBy SQL
Hugh Irvine
hugh at open.com.au
Wed Dec 10 14:43:05 CST 2003
Hello Rodrigo -
In this case you should probably write a hook to run the SQL query and
parse the rows that come back.
regards
Hugh
On 10/12/2003, at 11:15 PM, Rodrigo Nuno Bragança da Cunha wrote:
> Oh, I didn't saw that, thanks! Mea culpa.
>
> Ok, half the problem solved :-)
>
> How about the password?... since in order to support various valid
> sessions for the same username the password must be part of the search
> query, right? Without the password the query might return multiple
> lines, and Radiator will only look in the first, or is there something
> I'm not seeing here?
>
> Hugh Irvine wrote:
>
>>
>> Hello Rodrigo -
>>
>> As Mike says below, you can use %4 for the quoted username instead of
>> %U in your AuthLog.
>>
>> regards
>>
>> Hugh
>>
>>
>> Begin forwarded message:
>>
>>> From: Mike McCauley <mikem at open.com.au>
>>> Date: 10 December 2003 11:34:46 AM
>>> To: Hugh Irvine <hugh at open.com.au>
>>> Subject: Re: Fwd: (RADIATOR) Username/Password hacking while using
>>> AuthBy SQL
>>>
>>> Hi Hugh,
>>>
>>>
>>> On Wed, 10 Dec 2003 10:12 am, Hugh Irvine wrote:
>>>
>>>> Morning Mikey -
>>>>
>>>> Here is a further query regarding malicious characters in usernames
>>>> and
>>>> passwords affecting SQL logging.
>>>
>>>
>>>
>>> in Log SQL, the SQL _quoted_ user name is available as %4. So if you
>>> use %4, I
>>> would see no probs with username.
>>>
>>> Cheers.
>>>
>>>>
>>>> cheers
>>>>
>>>> Hugh
>>>>
>>>> Begin forwarded message:
>>>>
>>>>> From: Rodrigo Nuno Bragança da Cunha
>>>>> <rodrigo.cunha at corp.vodafone.pt>
>>>>> Date: 9 December 2003 11:24:48 PM
>>>>> To: radiator at open.com.au
>>>>> Subject: Re: (RADIATOR) Username/Password hacking while using
>>>>> AuthBy
>>>>> SQL
>>>>>
>>>>> Hugh Irvine wrote:
>>>>>
>>>>>> Hello Rodrigo -
>>>>>>
>>>>>> You can use the UsernameCharset parameter to restrict the
>>>>>> characters
>>>>>> in the username.
>>>>>>
>>>>>> See section 6.4.30 in the Radiator 3.7.1 reference manual.
>>>>>>
>>>>>> As far as the password is concerned, this field is only read from
>>>>>> the
>>>>>> database and the comparison is done inside Radiator.
>>>>>
>>>>>
>>>>> Well... it works, but is not enought. Won't work for SQL logging,
>>>>> for
>>>>> instance.
>>>>>
>>>>> Also I need the password in the SQL query itself because there can
>>>>> be
>>>>> various active and valid sessions for the same username, and a
>>>>> query
>>>>> without password might return many valid sessions. So the password
>>>>> is
>>>>> exploitable also. Perhaps a "PasswordCharset" clause would work :-)
>>>>>
>>>>> The Charset should apply to auth logging also, right?
>>>>>
>>>>> I'm sending the configuration file. It works fine as is, except
>>>>> with
>>>>> malicious username/passwords ...
>>>>>
>>>>>> NB: have you included a copy of your configuration file (no
>>>>>> secrets),
>>>>>> together with a trace 4 debug showing what is happening?
>>>>>
>>>>>
>>>>> Here goes the trace, including the SQL syntax errors, witch could
>>>>> be
>>>>> exploited.
>>>>>
>>>>> Thanks for the help!
>>>>>
>>>>> Tue Dec 9 12:08:22 2003: DEBUG: Finished reading configuration
>>>>> file
>>>>> '/home/radius/Radiator-3.7.1/goodies/vpn3000-test00.cfg'
>>>>> Tue Dec 9 12:08:22 2003: DEBUG: Reading dictionary file
>>>>> '/home/radius/Radiator-3.7.1/dictionary'
>>>>> Tue Dec 9 12:08:22 2003: DEBUG: Creating authentication port
>>>>> 0.0.0.0:1645
>>>>> Tue Dec 9 12:08:22 2003: DEBUG: Creating accounting port
>>>>> 0.0.0.0:1646
>>>>> Tue Dec 9 12:08:22 2003: NOTICE: Server started: Radiator 3.7.1 on
>>>>> radius-vpn.vf-pt.internal.vodafone.com
>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Packet dump:
>>>>> *** Received from 127.0.0.1 port 32784 ....
>>>>> Code: Access-Request
>>>>> Identifier: 10
>>>>> Authentic: 1234567890123456
>>>>> Attributes:
>>>>> User-Name = "norte'gregwe"
>>>>> Service-Type = Framed-User
>>>>> NAS-IP-Address = 203.63.154.1
>>>>> NAS-Port = 1234
>>>>> Called-Station-Id = "123456789"
>>>>> Calling-Station-Id = "987654321"
>>>>> NAS-Port-Type = Async
>>>>> User-Password =
>>>>> "<158><238>-<202><216>;<4><246><188>8<9><160><216>}x<153>"
>>>>>
>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler
>>>>> 'Realm=DEFAULT'
>>>>> Tue Dec 9 12:08:25 2003: INFO: Access rejected for norte'gregwe:
>>>>> Invalid character in User-Name
>>>>> Tue Dec 9 12:08:25 2003: DEBUG: do query is: 'INSERT INTO
>>>>> accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ,
>>>>> duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0,
>>>>> 'Auth
>>>>> Failure for username norte'gregwe' )':
>>>>>
>>>>> DBD::mysql::db do failed: You have an error in your SQL syntax near
>>>>> 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
>>>>> Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO
>>>>> accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ,
>>>>> duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0,
>>>>> 'Auth
>>>>> Failure for username norte'gregwe' )': You have an error in your
>>>>> SQL
>>>>> syntax near 'gregwe' )' at line 1
>>>>> DBD::mysql::db do failed: You have an error in your SQL syntax near
>>>>> 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
>>>>> Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO
>>>>> accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ,
>>>>> duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0,
>>>>> 'Auth
>>>>> Failure for username norte'gregwe' )': You have an error in your
>>>>> SQL
>>>>> syntax near 'gregwe' )' at line 1
>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Packet dump:
>>>>> *** Sending to 127.0.0.1 port 32784 ....
>>>>> Code: Access-Reject
>>>>> Identifier: 10
>>>>> Authentic: 1234567890123456
>>>>> Attributes:
>>>>> Reply-Message = "Request Denied"
>>>>>
>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Packet dump:
>>>>> *** Received from 127.0.0.1 port 32784 ....
>>>>> Code: Accounting-Request
>>>>> Identifier: 11
>>>>> Authentic: <201>T'<190><194><144><135>CW(<239><150>=~*m
>>>>> Attributes:
>>>>> User-Name = "norte'gregwe"
>>>>> Service-Type = Framed-User
>>>>> NAS-IP-Address = 203.63.154.1
>>>>> NAS-Port = 1234
>>>>> NAS-Port-Type = Async
>>>>> Acct-Session-Id = "00001234"
>>>>> Acct-Status-Type = Start
>>>>> Called-Station-Id = "123456789"
>>>>> Calling-Station-Id = "987654321"
>>>>> Acct-Delay-Time = 0
>>>>>
>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler
>>>>> 'Realm=DEFAULT'
>>>>> Tue Dec 9 12:08:30 2003: DEBUG: Packet dump:
>>>>> *** Received from 127.0.0.1 port 32784 ....
>>>>> Code: Accounting-Request
>>>>> Identifier: 12
>>>>> Authentic: u|<216>d<156><134><5>x<236>w<220>A<238>P<240>f
>>>>> Attributes:
>>>>> User-Name = "norte'gregwe"
>>>>> Service-Type = Framed-User
>>>>> NAS-IP-Address = 203.63.154.1
>>>>> NAS-Port = 1234
>>>>> NAS-Port-Type = Async
>>>>> Acct-Session-Id = "00001234"
>>>>> Acct-Status-Type = Stop
>>>>> Called-Station-Id = "123456789"
>>>>> Calling-Station-Id = "987654321"
>>>>> Acct-Delay-Time = 0
>>>>> Acct-Session-Time = 1000
>>>>> Acct-Input-Octets = 20000
>>>>> Acct-Output-Octets = 30000
>>>>>
>>>>> Tue Dec 9 12:08:30 2003: DEBUG: Handling request with Handler
>>>>> 'Realm=DEFAULT'
>>>>>
>>>>> # vpn3000 suppliers access, prototype configuration
>>>>>
>>>>> Foreground
>>>>> LogStdout
>>>>> LogDir /home/radius/Radiator-3.7.1/logs
>>>>> DbDir /home/radius/Radiator-3.7.1
>>>>> # User a lower trace level in production systems:
>>>>> Trace 4
>>>>>
>>>>>
>>>>> # One of these for each NAS you want to work with
>>>>> <Client DEFAULT>
>>>>> Secret ***********
>>>>> DupInterval 0
>>>>> </Client>
>>>>>
>>>>> <AuthBy SQL> # {{{ Identifier auth_adsl_sql
>>>>> Identifier auth_sql_session
>>>>>
>>>>> DBSource dbi:mysql:bd_remote:127.0.0.1
>>>>> DBUsername **********
>>>>> DBAuth **********
>>>>>
>>>>> NoDefaultIfFound # nao procura user DEFAULT
>>>>> NoDefault # (nem que a vaca se tussa toda)
>>>>>
>>>>> AuthSelect \
>>>>> SELECT session.id, session.password \
>>>>> FROM suppliers, session \
>>>>> LEFT OUTER JOIN accountlog \
>>>>> ON session.id = accountlog.idsession \
>>>>> WHERE accountlog.idsession IS NULL AND \
>>>>> session.timestamp > unix_timestamp()-1800 AND \
>>>>> session.idsupplier = suppliers.id AND \
>>>>> suppliers.nickname = '%U' AND \
>>>>> session.password = '%P' ;
>>>>> AuthColumnDef 0,Class, reply
>>>>> AuthColumnDef 1,Password, check
>>>>>
>>>>>
>>>>> # HandleAcctStatusTypes Start,Stop
>>>>> AcctSQLStatement INSERT INTO accountlog \
>>>>> ( id, idsession, timestamp, authaccountQ, \
>>>>> authsuccessQ, duration, comments ) \
>>>>> VALUES \
>>>>> ( 0, 0%{Class}, unix_timestamp(), 1, 0,\
>>>>> 0%{Acct-Session-Time}, \
>>>>> '%{Acct-Status-Type} Record for username %U' )
>>>>>
>>>>> </AuthBy> # }}}
>>>>>
>>>>> <Realm DEFAULT>
>>>>> PasswordLogFileName %L/password.log
>>>>> AuthByPolicy ContinueUntilAccept
>>>>> AuthBy auth_sql_session
>>>>> UsernameCharset a-zA-Z0-9
>>>>>
>>>>> <AuthLog SQL>
>>>>>
>>>>> DBSource dbi:mysql:bd_remote:127.0.0.1
>>>>> DBUsername **********
>>>>> DBAuth **********
>>>>>
>>>>> LogSuccess 1
>>>>> LogFailure 1
>>>>>
>>>>> SuccessQuery INSERT INTO accountlog \
>>>>> ( id, idsession, timestamp, authaccountQ, \
>>>>> authsuccessQ, duration, comments ) \
>>>>> VALUES \
>>>>> ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 1, \
>>>>> 0, 'Auth Sucess for username %U' );
>>>>>
>>>>> FailureQuery INSERT INTO accountlog \
>>>>> ( id, idsession, timestamp, authaccountQ, \
>>>>> authsuccessQ, duration, comments ) \
>>>>> VALUES \
>>>>> ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 0, \
>>>>> 0, 'Auth Failure for username %U' )
>>>>>
>>>>> </AuthLog>
>>>>> AcctLogFileName %D/detail
>>>>> </Realm>
>>>>
>>>>
>>>> NB: have you included a copy of your configuration file (no
>>>> secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>
>>>
>>> --
>>> Mike McCauley mikem at open.com.au
>>> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
>>> WWW
>>> 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
>>> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>> TLS,
>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list