MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: Remote Vulnerability in RADIUS Report Number: iMCISE:IMCISNI:121797:01:P1R1 Report Date: 12/17/97 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory December 17, 1997 Remote Vulnerability in RADIUS Servers Derived from Livingston 1.16. This advisory details vulnerabilities in RADIUS server software derived from Livingston RADIUS 1.x allow remote attacks to gain extended access to the authentication server. In many installations of RADIUS, exploitation of this vulnerability will allow an intruder to remotely obtain superuser access to the machine running the RADIUS server. In all cases, the extended access gained allows an attacker to subvert RADIUS authentication. This vulnerability was discovered in Livingston RADIUS 1.16, a popular publically-available RADIUS server implementation. Another popular RADIUS implementation is provided by Ascend Communications; Ascend RADIUS, based on the Livingston 1.16 implementation, is very similar to the Livingston code and shares the same bugs. Merit RADIUS was not determined to be vulnerable to the specific problem outlined in detail in this document. However, Merit RADIUS has not been audited and Secure Networks Inc. makes no assertions as to it's security. Problem Description: ~~~~~~~~~~~~~~~~~~~~ An exploitable stack overrun is present in the RADIUS accounting code in Livingston RADIUS 1.16. The problem occurs as a result of inverse resolution of IP addresses to hostnames; the accounting routine rad_accounting() copies the resolved hostname to a buffer on it's stack, without checking the length of the hostname first. As a result of this bug, an attacker that controls the DNS server for any IP address can configure the records for that address to resolve to a name too large for the RADIUS server's buffer; the characters in the hostname, which overwrites the server's stack, can contain machine code that the server will be forced to execute. It is important to note that the RADIUS server request authentication (which, in some cases, involves packet signatures with keyed MD5 hashes) does not prevent this attack. The source IP address on RADIUS accounting requests is not checked by the server code before the error occurs. It is also important to note that this is not the only point in the RADIUS code where hostname resolution can be exploited to subvert the server; unchecked string copies are common throughout the RADIUS code. Livingston has integrated a series of patches (written by SNI) to address this problem. See the 'Fix Resolution' section. Vulnerable Systems: ~~~~~~~~~~~~~~~~~~~ All RADIUS servers based off of Livingston's 1.16 RADIUS server. Livingston RADIUS servers 2.0, 2.0.1 are not vulnerable. Fix Resolution: ~~~~~~~~~~~~~~~ As mentioned earlier, Livinsgston's RADIUS 2.0, 2.0.1 are not vulnerable to this problem. Any Livingston customer may upgrade to 2.0.1 at: http://www.livingston.com/Forms/radiusform.cgi RADIUS 1.16.1 with SNI patches is also available at: ftp://ftp.livingston.com/pub/le/radius/radius-1.16.1.tar.Z Ascend could not be contacted for an approved fix. As the source code for Ascend RADIUS is freely available, an attempt has been made to correct all obvious stack overruns in the code; Ascend has in no way examined or approved these fixes. You may obtain this patchfile at: ftp://ftp.secnet.com/pub/patches/radius.patch As this advisory involves a general problem with the RADIUS source code, we advise organizations running RADIUS servers to contact their vendor to confirm the vulnerability status of their RADIUS server. Additional Information ~~~~~~~~~~~~~~~~~~~~~~ Secure Networks, Inc. would like to thank Brian Mitchell for his original notification to the security community regarding problems in the Livingston RADIUS code. SNI would also like to thank Carl Rigney of Livingston for his attention to this matter. For more information regarding this advisory, contact Secure Networks Inc. as . A PGP public key is provided below if privacy is required. Type Bits/KeyID Date User ID pub 1024/9E55000D 1997/01/13 Secure Networks Inc. Secure Networks -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5 uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz 9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA 8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5 ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8 =DchE -----END PGP PUBLIC KEY BLOCK----- Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories You can browse our web site at http://www.secnet.com You can subscribe to our security advisory mailing list by sending mail to majordomo@secnet.com with the line "subscribe sni-advisories" http://www.security.mci.net ================================================================