(RADIATOR) Username/Password hacking while using AuthBy SQL
Rodrigo Nuno Bragança da Cunha
rodrigo.cunha at corp.vodafone.pt
Thu Dec 11 06:16:33 CST 2003
Yes, that's what I wanted to avoid, but since it's probably the only way
let's just do it :-)
Thanks!
Hugh Irvine wrote:
>
> Hello Rodrigo -
>
> In this case you should probably write a hook to run the SQL query and
> parse the rows that come back.
>
> regards
>
> Hugh
>
>
> On 10/12/2003, at 11:15 PM, Rodrigo Nuno Bragança da Cunha wrote:
>
>> Oh, I didn't saw that, thanks! Mea culpa.
>>
>> Ok, half the problem solved :-)
>>
>> How about the password?... since in order to support various valid
>> sessions for the same username the password must be part of the
>> search query, right? Without the password the query might return
>> multiple lines, and Radiator will only look in the first, or is there
>> something I'm not seeing here?
>>
>> Hugh Irvine wrote:
>>
>>>
>>> Hello Rodrigo -
>>>
>>> As Mike says below, you can use %4 for the quoted username instead
>>> of %U in your AuthLog.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> Begin forwarded message:
>>>
>>>> From: Mike McCauley <mikem at open.com.au>
>>>> Date: 10 December 2003 11:34:46 AM
>>>> To: Hugh Irvine <hugh at open.com.au>
>>>> Subject: Re: Fwd: (RADIATOR) Username/Password hacking while using
>>>> AuthBy SQL
>>>>
>>>> Hi Hugh,
>>>>
>>>>
>>>> On Wed, 10 Dec 2003 10:12 am, Hugh Irvine wrote:
>>>>
>>>>> Morning Mikey -
>>>>>
>>>>> Here is a further query regarding malicious characters in
>>>>> usernames and
>>>>> passwords affecting SQL logging.
>>>>
>>>>
>>>>
>>>>
>>>> in Log SQL, the SQL _quoted_ user name is available as %4. So if
>>>> you use %4, I
>>>> would see no probs with username.
>>>>
>>>> Cheers.
>>>>
>>>>>
>>>>> cheers
>>>>>
>>>>> Hugh
>>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>>> From: Rodrigo Nuno Bragança da Cunha
>>>>>> <rodrigo.cunha at corp.vodafone.pt>
>>>>>> Date: 9 December 2003 11:24:48 PM
>>>>>> To: radiator at open.com.au
>>>>>> Subject: Re: (RADIATOR) Username/Password hacking while using AuthBy
>>>>>> SQL
>>>>>>
>>>>>> Hugh Irvine wrote:
>>>>>>
>>>>>>> Hello Rodrigo -
>>>>>>>
>>>>>>> You can use the UsernameCharset parameter to restrict the
>>>>>>> characters
>>>>>>> in the username.
>>>>>>>
>>>>>>> See section 6.4.30 in the Radiator 3.7.1 reference manual.
>>>>>>>
>>>>>>> As far as the password is concerned, this field is only read
>>>>>>> from the
>>>>>>> database and the comparison is done inside Radiator.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Well... it works, but is not enought. Won't work for SQL logging,
>>>>>> for
>>>>>> instance.
>>>>>>
>>>>>> Also I need the password in the SQL query itself because there
>>>>>> can be
>>>>>> various active and valid sessions for the same username, and a query
>>>>>> without password might return many valid sessions. So the
>>>>>> password is
>>>>>> exploitable also. Perhaps a "PasswordCharset" clause would work :-)
>>>>>>
>>>>>> The Charset should apply to auth logging also, right?
>>>>>>
>>>>>> I'm sending the configuration file. It works fine as is, except with
>>>>>> malicious username/passwords ...
>>>>>>
>>>>>>> NB: have you included a copy of your configuration file (no
>>>>>>> secrets),
>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Here goes the trace, including the SQL syntax errors, witch could be
>>>>>> exploited.
>>>>>>
>>>>>> Thanks for the help!
>>>>>>
>>>>>> Tue Dec 9 12:08:22 2003: DEBUG: Finished reading configuration file
>>>>>> '/home/radius/Radiator-3.7.1/goodies/vpn3000-test00.cfg'
>>>>>> Tue Dec 9 12:08:22 2003: DEBUG: Reading dictionary file
>>>>>> '/home/radius/Radiator-3.7.1/dictionary'
>>>>>> Tue Dec 9 12:08:22 2003: DEBUG: Creating authentication port
>>>>>> 0.0.0.0:1645
>>>>>> Tue Dec 9 12:08:22 2003: DEBUG: Creating accounting port
>>>>>> 0.0.0.0:1646
>>>>>> Tue Dec 9 12:08:22 2003: NOTICE: Server started: Radiator 3.7.1 on
>>>>>> radius-vpn.vf-pt.internal.vodafone.com
>>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Packet dump:
>>>>>> *** Received from 127.0.0.1 port 32784 ....
>>>>>> Code: Access-Request
>>>>>> Identifier: 10
>>>>>> Authentic: 1234567890123456
>>>>>> Attributes:
>>>>>> User-Name = "norte'gregwe"
>>>>>> Service-Type = Framed-User
>>>>>> NAS-IP-Address = 203.63.154.1
>>>>>> NAS-Port = 1234
>>>>>> Called-Station-Id = "123456789"
>>>>>> Calling-Station-Id = "987654321"
>>>>>> NAS-Port-Type = Async
>>>>>> User-Password =
>>>>>> "<158><238>-<202><216>;<4><246><188>8<9><160><216>}x<153>"
>>>>>>
>>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler
>>>>>> 'Realm=DEFAULT'
>>>>>> Tue Dec 9 12:08:25 2003: INFO: Access rejected for norte'gregwe:
>>>>>> Invalid character in User-Name
>>>>>> Tue Dec 9 12:08:25 2003: DEBUG: do query is: 'INSERT INTO
>>>>>> accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ,
>>>>>> duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth
>>>>>> Failure for username norte'gregwe' )':
>>>>>>
>>>>>> DBD::mysql::db do failed: You have an error in your SQL syntax near
>>>>>> 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
>>>>>> Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO
>>>>>> accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ,
>>>>>> duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth
>>>>>> Failure for username norte'gregwe' )': You have an error in your SQL
>>>>>> syntax near 'gregwe' )' at line 1
>>>>>> DBD::mysql::db do failed: You have an error in your SQL syntax near
>>>>>> 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
>>>>>> Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO
>>>>>> accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ,
>>>>>> duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth
>>>>>> Failure for username norte'gregwe' )': You have an error in your SQL
>>>>>> syntax near 'gregwe' )' at line 1
>>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Packet dump:
>>>>>> *** Sending to 127.0.0.1 port 32784 ....
>>>>>> Code: Access-Reject
>>>>>> Identifier: 10
>>>>>> Authentic: 1234567890123456
>>>>>> Attributes:
>>>>>> Reply-Message = "Request Denied"
>>>>>>
>>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Packet dump:
>>>>>> *** Received from 127.0.0.1 port 32784 ....
>>>>>> Code: Accounting-Request
>>>>>> Identifier: 11
>>>>>> Authentic: <201>T'<190><194><144><135>CW(<239><150>=~*m
>>>>>> Attributes:
>>>>>> User-Name = "norte'gregwe"
>>>>>> Service-Type = Framed-User
>>>>>> NAS-IP-Address = 203.63.154.1
>>>>>> NAS-Port = 1234
>>>>>> NAS-Port-Type = Async
>>>>>> Acct-Session-Id = "00001234"
>>>>>> Acct-Status-Type = Start
>>>>>> Called-Station-Id = "123456789"
>>>>>> Calling-Station-Id = "987654321"
>>>>>> Acct-Delay-Time = 0
>>>>>>
>>>>>> Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler
>>>>>> 'Realm=DEFAULT'
>>>>>> Tue Dec 9 12:08:30 2003: DEBUG: Packet dump:
>>>>>> *** Received from 127.0.0.1 port 32784 ....
>>>>>> Code: Accounting-Request
>>>>>> Identifier: 12
>>>>>> Authentic: u|<216>d<156><134><5>x<236>w<220>A<238>P<240>f
>>>>>> Attributes:
>>>>>> User-Name = "norte'gregwe"
>>>>>> Service-Type = Framed-User
>>>>>> NAS-IP-Address = 203.63.154.1
>>>>>> NAS-Port = 1234
>>>>>> NAS-Port-Type = Async
>>>>>> Acct-Session-Id = "00001234"
>>>>>> Acct-Status-Type = Stop
>>>>>> Called-Station-Id = "123456789"
>>>>>> Calling-Station-Id = "987654321"
>>>>>> Acct-Delay-Time = 0
>>>>>> Acct-Session-Time = 1000
>>>>>> Acct-Input-Octets = 20000
>>>>>> Acct-Output-Octets = 30000
>>>>>>
>>>>>> Tue Dec 9 12:08:30 2003: DEBUG: Handling request with Handler
>>>>>> 'Realm=DEFAULT'
>>>>>>
>>>>>> # vpn3000 suppliers access, prototype configuration
>>>>>>
>>>>>> Foreground
>>>>>> LogStdout
>>>>>> LogDir /home/radius/Radiator-3.7.1/logs
>>>>>> DbDir /home/radius/Radiator-3.7.1
>>>>>> # User a lower trace level in production systems:
>>>>>> Trace 4
>>>>>>
>>>>>>
>>>>>> # One of these for each NAS you want to work with
>>>>>> <Client DEFAULT>
>>>>>> Secret ***********
>>>>>> DupInterval 0
>>>>>> </Client>
>>>>>>
>>>>>> <AuthBy SQL> # {{{ Identifier auth_adsl_sql
>>>>>> Identifier auth_sql_session
>>>>>>
>>>>>> DBSource dbi:mysql:bd_remote:127.0.0.1
>>>>>> DBUsername **********
>>>>>> DBAuth **********
>>>>>>
>>>>>> NoDefaultIfFound # nao procura user DEFAULT
>>>>>> NoDefault # (nem que a vaca se tussa toda)
>>>>>>
>>>>>> AuthSelect \
>>>>>> SELECT session.id, session.password \
>>>>>> FROM suppliers, session \
>>>>>> LEFT OUTER JOIN accountlog \
>>>>>> ON session.id = accountlog.idsession \
>>>>>> WHERE accountlog.idsession IS NULL AND \
>>>>>> session.timestamp > unix_timestamp()-1800 AND \
>>>>>> session.idsupplier = suppliers.id AND \
>>>>>> suppliers.nickname = '%U' AND \
>>>>>> session.password = '%P' ;
>>>>>> AuthColumnDef 0,Class, reply
>>>>>> AuthColumnDef 1,Password, check
>>>>>>
>>>>>>
>>>>>> # HandleAcctStatusTypes Start,Stop
>>>>>> AcctSQLStatement INSERT INTO accountlog \
>>>>>> ( id, idsession, timestamp, authaccountQ, \
>>>>>> authsuccessQ, duration, comments ) \
>>>>>> VALUES \
>>>>>> ( 0, 0%{Class}, unix_timestamp(), 1, 0,\
>>>>>> 0%{Acct-Session-Time}, \
>>>>>> '%{Acct-Status-Type} Record for username %U' )
>>>>>>
>>>>>> </AuthBy> # }}}
>>>>>>
>>>>>> <Realm DEFAULT>
>>>>>> PasswordLogFileName %L/password.log
>>>>>> AuthByPolicy ContinueUntilAccept
>>>>>> AuthBy auth_sql_session
>>>>>> UsernameCharset a-zA-Z0-9
>>>>>>
>>>>>> <AuthLog SQL>
>>>>>>
>>>>>> DBSource dbi:mysql:bd_remote:127.0.0.1
>>>>>> DBUsername **********
>>>>>> DBAuth **********
>>>>>>
>>>>>> LogSuccess 1
>>>>>> LogFailure 1
>>>>>>
>>>>>> SuccessQuery INSERT INTO accountlog \
>>>>>> ( id, idsession, timestamp, authaccountQ, \
>>>>>> authsuccessQ, duration, comments ) \
>>>>>> VALUES \
>>>>>> ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 1, \
>>>>>> 0, 'Auth Sucess for username %U' );
>>>>>>
>>>>>> FailureQuery INSERT INTO accountlog \
>>>>>> ( id, idsession, timestamp, authaccountQ, \
>>>>>> authsuccessQ, duration, comments ) \
>>>>>> VALUES \
>>>>>> ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 0, \
>>>>>> 0, 'Auth Failure for username %U' )
>>>>>>
>>>>>> </AuthLog>
>>>>>> AcctLogFileName %D/detail
>>>>>> </Realm>
>>>>>
>>>>>
>>>>>
>>>>> NB: have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>>
>>>>
>>>> --
>>>> Mike McCauley mikem at open.com.au
>>>> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
>>>> WWW
>>>> 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
>>>> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>>>>
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>>> TLS,
>>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>>
>>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list