[RADIATOR] Possible DOS attack against radiator with AuthPAM.pm ?
Mike McCauley
mikem at open.com.au
Thu Jun 4 04:56:09 CDT 2009
Hello Markus,
thanks for the additional details. We have now fixed this problem. The fix is
in the latest Radiator 4.4 patch set.
We apologise for any inconvenience.
Cheers
On Thursday 04 June 2009 06:34:31 pm Markus Moeller wrote:
> Mike,
>
> I do the following ( I think the dictionary error is the reason I don't
> have a username as an attribute) :
>
> radpwtst -secret secret -s devserver04 -auth_port 1812 -acct_port 1813
> Thu Jun 4 08:29:32 2009: ERR: Attribute number 1 is not defined in your
> dictionary
> Thu Jun 4 08:29:32 2009: ERR: Attribute number 6 is not defined in your
> dictionary
> Thu Jun 4 08:29:32 2009: ERR: Attribute number 4 is not defined in your
> dictionary
> Thu Jun 4 08:29:32 2009: ERR: Attribute number 32 is not defined in your
> dictionary
> Thu Jun 4 08:29:32 2009: ERR: Attribute number 5 is not defined in your
> dictionary
> Thu Jun 4 08:29:32 2009: ERR: Attribute number 30 is not defined in your
> dictionary
> Thu Jun 4 08:29:32 2009: ERR: Attribute number 31 is not defined in your
> dictionary
> Thu Jun 4 08:29:32 2009: ERR: Attribute number 61 is not defined in your
> dictionary
> Thu Jun 4 08:29:32 2009: ERR: Attribute number 2 is not defined in your
> dictionary
> Thu Jun 4 08:29:32 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:32 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:32 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:32 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:32 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:32 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:32 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:32 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:32 2009: WARNING: No such attribute Unknown
> sending Access-Request...
> No reply
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 1 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 6 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 4 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 32 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 5 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 61 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 44 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 40 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 30 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 31 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: ERR: Attribute number 41 is not defined in your
> dictionary
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:37 2009: WARNING: No such attribute Unknown
> sending Accounting-Request Start...
> No reply
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 1 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 6 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 4 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 32 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 5 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 61 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 44 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 40 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 30 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 31 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 41 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 46 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 42 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: ERR: Attribute number 43 is not defined in your
> dictionary
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> Thu Jun 4 08:29:42 2009: WARNING: No such attribute Unknown
> sending Accounting-Request Stop...
> No reply
>
> The radiator log with trace 4 is:
>
> Thu Jun 4 08:29:28 2009: DEBUG: include
> /opt/radiator/etc/radiator_tacacs.cfg
> Thu Jun 4 08:29:28 2009: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
> Thu Jun 4 08:29:28 2009: DEBUG: include /opt/radiator/etc/radiator_log.cfg
> Thu Jun 4 08:29:28 2009: DEBUG: include
> /opt/radiator/etc/radiator_clients.cfg
> Thu Jun 4 08:29:28 2009: DEBUG: include
> /opt/radiator/etc/radiator_authby.cfg
> Thu Jun 4 08:29:28 2009: DEBUG: Finished reading configuration file
> '/opt/radiator/etc/radiator.cfg'
> Thu Jun 4 08:29:28 2009: DEBUG: Reading dictionary file
> '/opt/radiator/etc/dictionary'
> Thu Jun 4 08:29:28 2009: DEBUG: Creating authentication port 0.0.0.0:1812
> Thu Jun 4 08:29:28 2009: DEBUG: Creating accounting port 0.0.0.0:1813
> Thu Jun 4 08:29:28 2009: NOTICE: Server started: Radiator 4.3.1 on
> devserver04
> Thu Jun 4 08:29:32 2009: DEBUG: Packet dump:
> *** Received from 10.129.189.216 port 56607 ....
> Code: Access-Request
> Identifier: 197
> Authentic: <u<14><195><166>:7<19><220><224>xT<128>N<239><180>
> Attributes:
>
> Thu Jun 4 08:29:32 2009: DEBUG: Handling request with Handler
> 'DeviceType="generic",AuthType="radius"'
> Thu Jun 4 08:29:32 2009: DEBUG: Deleting session for , 10.129.189.216,
> Thu Jun 4 08:29:32 2009: DEBUG: Handling with Radius::AuthGROUP:
> PAMAuthentication
> Thu Jun 4 08:29:32 2009: DEBUG: Handling with PAM service Radiator
> Thu Jun 4 08:29:32 2009: DEBUG: PAM is asking for 2: 'Please enter user
> name'
> Thu Jun 4 08:29:32 2009: DEBUG: PAM is asking for 2: 'Please enter user
> name'
> Thu Jun 4 08:29:32 2009: DEBUG: PAM is asking for 2: 'Please enter user
> name'
>
>
> Radiator config extract:
>
> #
> # Authentication via PAM (Kerberos)
> #
> # the Service Tags must be present in /etc/pam.conf:
> #
> <AuthBy PAM>
> Identifier PAMAuthentication
> Service Radiator
> </AuthBy>
>
>
> It runs on Solaris 10 sparc
>
> /etc/pam.conf with Russ Allbery module
>
> Radiator auth requisite pam_authtok_get.so.1
> Radiator auth required pam_krb5-3.13.so realm=TESTDOMAIN.COM
> minimum_uid=100 use_first_pass no_ccache debug
>
> Regards
> Markus
>
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Sent: Wednesday, June 03, 2009 11:18 PM
> Subject: Re: [RADIATOR] Possible DOS attack against radiator with
> AuthPAM.pm ?
>
> > Hello Markus,
> >
> > On Thursday 04 June 2009 07:46:55 am Markus Moeller wrote:
> >> I noticed when I use radpwtst without a username/password to send a
> >> request
> >> to Radiator which is configured with AuthPAM.pm Radiator loops
> >> indefinetly
> >> in pam_conv_func. With trace enabled I get millions of messages like
> >> "PAM is asking for 2: '....." filling up my disk.
> >
> > When you say 'without a username/password' do you mean they were blank,
> > or that the attributes were not present in the request?
> >
> > How exactly did you reproduce this?
> >
> > Cheers.
> >
> >> Markus
> >
> > --
> > Mike McCauley mikem at open.com.au
> > Open System Consultants Pty. Ltd
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474 Fax +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> > on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list