Re: (RADIATOR) Username/Password hacking while using AuthBy SQL

[Rodrigo Nuno Bragan�a da Cunha]

Hugh Irvine wrote:

Hello Rodrigo -

You can use the UsernameCharset parameter to restrict the characters 
in the username.

See section 6.4.30 in the Radiator 3.7.1 reference manual.

As far as the password is concerned, this field is only read from the 
database and the comparison is done inside Radiator.

Well... it works, but is not enought. Won't work for SQL logging, for 
instance.

Also I need the password in the SQL query itself because there can be 
various active and valid sessions for the same username, and a query 
without password might return many valid sessions. So the password is 
exploitable also. Perhaps a "PasswordCharset" clause would work :-)

The Charset should apply to auth logging also, right?

I'm sending the configuration file. It works fine as is, except with 
malicious username/passwords ...

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Here goes the trace, including the SQL syntax errors, witch could be 
exploited.

Thanks for the help!

Tue Dec  9 12:08:22 2003: DEBUG: Finished reading configuration file 
'/home/radius/Radiator-3.7.1/goodies/vpn3000-test00.cfg'
Tue Dec  9 12:08:22 2003: DEBUG: Reading dictionary file 
'/home/radius/Radiator-3.7.1/dictionary'
Tue Dec  9 12:08:22 2003: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Dec  9 12:08:22 2003: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Dec  9 12:08:22 2003: NOTICE: Server started: Radiator 3.7.1 on 
radius-vpn.vf-pt.internal.vodafone.com
Tue Dec  9 12:08:25 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32784 ....
Code:       Access-Request
Identifier: 10
Authentic:  1234567890123456
Attributes:
       User-Name = "norte'gregwe"
       Service-Type = Framed-User
       NAS-IP-Address = 203.63.154.1
       NAS-Port = 1234
       Called-Station-Id = "123456789"
       Calling-Station-Id = "987654321"
       NAS-Port-Type = Async
       User-Password = 
"<158><238>-<202><216>;<4><246><188>8<9><160><216>}x<153>"

Tue Dec  9 12:08:25 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Dec  9 12:08:25 2003: INFO: Access rejected for norte'gregwe: 
Invalid character in User-Name
Tue Dec  9 12:08:25 2003: DEBUG: do query is: 'INSERT   INTO accountlog 
( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, 
comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for 
username norte'gregwe' )':

DBD::mysql::db do failed: You have an error in your SQL syntax near 
'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
Tue Dec  9 12:08:25 2003: ERR: do failed for 'INSERT    INTO accountlog 
( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, 
comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for 
username norte'gregwe' )': You have an error in your SQL syntax near 
'gregwe' )' at line 1
DBD::mysql::db do failed: You have an error in your SQL syntax near 
'gregwe' )' at line 1 at Radius/SqlDb.pm line 219.
Tue Dec  9 12:08:25 2003: ERR: do failed for 'INSERT    INTO accountlog 
( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, 
comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for 
username norte'gregwe' )': You have an error in your SQL syntax near 
'gregwe' )' at line 1
Tue Dec  9 12:08:25 2003: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32784 ....
Code:       Access-Reject
Identifier: 10
Authentic:  1234567890123456
Attributes:
       Reply-Message = "Request Denied"

Tue Dec  9 12:08:25 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32784 ....
Code:       Accounting-Request
Identifier: 11
Authentic:  <201>T'<190><194><144><135>CW(<239><150>=~*m
Attributes:
       User-Name = "norte'gregwe"
       Service-Type = Framed-User
       NAS-IP-Address = 203.63.154.1
       NAS-Port = 1234
       NAS-Port-Type = Async
       Acct-Session-Id = "00001234"
       Acct-Status-Type = Start
       Called-Station-Id = "123456789"
       Calling-Station-Id = "987654321"
       Acct-Delay-Time = 0
Tue Dec  9 12:08:25 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Tue Dec  9 12:08:30 2003: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32784 ....
Code:       Accounting-Request
Identifier: 12
Authentic:  u|<216>d<156><134><5>x<236>w<220>A<238>P<240>f
Attributes:
       User-Name = "norte'gregwe"
       Service-Type = Framed-User
       NAS-IP-Address = 203.63.154.1
       NAS-Port = 1234
       NAS-Port-Type = Async
       Acct-Session-Id = "00001234"
       Acct-Status-Type = Stop
       Called-Station-Id = "123456789"
       Calling-Station-Id = "987654321"
       Acct-Delay-Time = 0
       Acct-Session-Time = 1000
       Acct-Input-Octets = 20000
       Acct-Output-Octets = 30000

Tue Dec  9 12:08:30 2003: DEBUG: Handling request with Handler 
'Realm=DEFAULT'

# vpn3000 suppliers access, prototype configuration
Foreground
LogStdout
LogDir          /home/radius/Radiator-3.7.1/logs
DbDir           /home/radius/Radiator-3.7.1
# User a lower trace level in production systems:
Trace           4


# One of these for each NAS you want to work with
<Client DEFAULT>
        Secret  ***********
        DupInterval 0
</Client>

<AuthBy SQL> # {{{ Identifier auth_adsl_sql
    Identifier  auth_sql_session

    DBSource    dbi:mysql:bd_remote:127.0.0.1
    DBUsername  **********
    DBAuth      **********

    NoDefaultIfFound    # nao procura user DEFAULT
    NoDefault           # (nem que a vaca se tussa toda)

    AuthSelect \
        SELECT  session.id, session.password \
        FROM    suppliers, session \
                LEFT OUTER JOIN accountlog \
                ON session.id = accountlog.idsession \
        WHERE   accountlog.idsession IS NULL AND \
                session.timestamp > unix_timestamp()-1800 AND  \
                session.idsupplier = suppliers.id AND \
                suppliers.nickname = '%U' AND \
                session.password = '%P' ;
    AuthColumnDef   0,Class, reply
    AuthColumnDef   1,Password, check


#    HandleAcctStatusTypes Start,Stop
    AcctSQLStatement    INSERT  INTO accountlog \
                                ( id, idsession, timestamp, authaccountQ, \
                                authsuccessQ, duration, comments ) \
                                VALUES \
                                ( 0, 0%{Class}, unix_timestamp(), 1, 0,\
                                0%{Acct-Session-Time}, \
                                '%{Acct-Status-Type} Record for username %U' )

</AuthBy> # }}}

<Realm DEFAULT>
    PasswordLogFileName    %L/password.log
    AuthByPolicy        ContinueUntilAccept
    AuthBy              auth_sql_session
    UsernameCharset     a-zA-Z0-9

    <AuthLog SQL>

        DBSource    dbi:mysql:bd_remote:127.0.0.1
        DBUsername  **********
        DBAuth      **********

        LogSuccess 1
        LogFailure 1

        SuccessQuery    INSERT  INTO accountlog \
                                ( id, idsession, timestamp, authaccountQ, \
                                authsuccessQ, duration, comments ) \
                                VALUES \
                                ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 1, \
                                0, 'Auth Sucess for username %U' );

        FailureQuery    INSERT  INTO accountlog \
                                ( id, idsession, timestamp, authaccountQ, \
                                authsuccessQ, duration, comments ) \
                                VALUES \
                                ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 0, \
                                0, 'Auth Failure for username %U' )

    </AuthLog>
        AcctLogFileName %D/detail
</Realm>