[RADIATOR] Possible DOS attack against radiator with AuthPAM.pm ?

Markus Moeller huaraz at moeller.plus.com
Thu Jun 4 03:34:31 CDT 2009 

Mike,

I do the following ( I think the dictionary error is the reason I don't have 
a username as an attribute) :

radpwtst -secret secret -s devserver04 -auth_port 1812 -acct_port 1813
Thu Jun  4 08:29:32 2009: ERR: Attribute number 1 is not defined in your 
dictionary
Thu Jun  4 08:29:32 2009: ERR: Attribute number 6 is not defined in your 
dictionary
Thu Jun  4 08:29:32 2009: ERR: Attribute number 4 is not defined in your 
dictionary
Thu Jun  4 08:29:32 2009: ERR: Attribute number 32 is not defined in your 
dictionary
Thu Jun  4 08:29:32 2009: ERR: Attribute number 5 is not defined in your 
dictionary
Thu Jun  4 08:29:32 2009: ERR: Attribute number 30 is not defined in your 
dictionary
Thu Jun  4 08:29:32 2009: ERR: Attribute number 31 is not defined in your 
dictionary
Thu Jun  4 08:29:32 2009: ERR: Attribute number 61 is not defined in your 
dictionary
Thu Jun  4 08:29:32 2009: ERR: Attribute number 2 is not defined in your 
dictionary
Thu Jun  4 08:29:32 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:32 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:32 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:32 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:32 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:32 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:32 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:32 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:32 2009: WARNING: No such attribute Unknown
sending Access-Request...
No reply
Thu Jun  4 08:29:37 2009: ERR: Attribute number 1 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 6 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 4 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 32 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 5 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 61 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 44 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 40 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 30 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 31 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: ERR: Attribute number 41 is not defined in your 
dictionary
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:37 2009: WARNING: No such attribute Unknown
sending Accounting-Request Start...
No reply
Thu Jun  4 08:29:42 2009: ERR: Attribute number 1 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 6 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 4 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 32 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 5 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 61 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 44 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 40 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 30 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 31 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 41 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 46 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 42 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: ERR: Attribute number 43 is not defined in your 
dictionary
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
Thu Jun  4 08:29:42 2009: WARNING: No such attribute Unknown
sending Accounting-Request Stop...
No reply

The radiator log with trace 4 is:

Thu Jun  4 08:29:28 2009: DEBUG: include 
/opt/radiator/etc/radiator_tacacs.cfg
Thu Jun  4 08:29:28 2009: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
Thu Jun  4 08:29:28 2009: DEBUG: include /opt/radiator/etc/radiator_log.cfg
Thu Jun  4 08:29:28 2009: DEBUG: include 
/opt/radiator/etc/radiator_clients.cfg
Thu Jun  4 08:29:28 2009: DEBUG: include 
/opt/radiator/etc/radiator_authby.cfg
Thu Jun  4 08:29:28 2009: DEBUG: Finished reading configuration file 
'/opt/radiator/etc/radiator.cfg'
Thu Jun  4 08:29:28 2009: DEBUG: Reading dictionary file 
'/opt/radiator/etc/dictionary'
Thu Jun  4 08:29:28 2009: DEBUG: Creating authentication port 0.0.0.0:1812
Thu Jun  4 08:29:28 2009: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Jun  4 08:29:28 2009: NOTICE: Server started: Radiator 4.3.1 on 
devserver04
Thu Jun  4 08:29:32 2009: DEBUG: Packet dump:
*** Received from 10.129.189.216 port 56607 ....
Code:       Access-Request
Identifier: 197
Authentic:  <u<14><195><166>:7<19><220><224>xT<128>N<239><180>
Attributes:

Thu Jun  4 08:29:32 2009: DEBUG: Handling request with Handler 
'DeviceType="generic",AuthType="radius"'
Thu Jun  4 08:29:32 2009: DEBUG:  Deleting session for , 10.129.189.216,
Thu Jun  4 08:29:32 2009: DEBUG: Handling with Radius::AuthGROUP: 
PAMAuthentication
Thu Jun  4 08:29:32 2009: DEBUG: Handling with PAM service Radiator
Thu Jun  4 08:29:32 2009: DEBUG: PAM is asking for 2: 'Please enter user 
name'
Thu Jun  4 08:29:32 2009: DEBUG: PAM is asking for 2: 'Please enter user 
name'
Thu Jun  4 08:29:32 2009: DEBUG: PAM is asking for 2: 'Please enter user 
name'


Radiator config extract:

#
#       Authentication via PAM (Kerberos)
#
# the Service Tags must be present in /etc/pam.conf:
#
<AuthBy PAM>
        Identifier PAMAuthentication
        Service Radiator
</AuthBy>


It runs on Solaris 10 sparc

/etc/pam.conf with Russ Allbery module

Radiator auth requisite          pam_authtok_get.so.1
Radiator auth required           pam_krb5-3.13.so realm=TESTDOMAIN.COM 
minimum_uid=100 use_first_pass no_ccache debug

Regards
Markus

----- Original Message ----- 
From: "Mike McCauley" <mikem at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Sent: Wednesday, June 03, 2009 11:18 PM
Subject: Re: [RADIATOR] Possible DOS attack against radiator with AuthPAM.pm 
?


> Hello Markus,
>
> On Thursday 04 June 2009 07:46:55 am Markus Moeller wrote:
>> I noticed when I use radpwtst without a username/password to send a 
>> request
>> to Radiator which is configured with AuthPAM.pm Radiator loops 
>> indefinetly
>> in pam_conv_func. With trace enabled I get millions of messages like "PAM
>> is asking for 2: '....."  filling up my disk.
>
> When you say 'without a username/password' do you mean they were blank, or
> that the attributes were not present in the request?
>
> How exactly did you reproduce this?
>
> Cheers.
>
>>
>> Markus
>
>
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia 
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>

More information about the radiator mailing list