Ok, half the problem solved :-)
How about the password?... since in order to support various valid sessions for the same username the password must be part of the search query, right? Without the password the query might return multiple lines, and Radiator will only look in the first, or is there something I'm not seeing here?
Hugh Irvine wrote:
Hello Rodrigo -
As Mike says below, you can use %4 for the quoted username instead of %U in your AuthLog.
regards
Hugh
Begin forwarded message:
From: Mike McCauley <[EMAIL PROTECTED]>
Date: 10 December 2003 11:34:46 AM
To: Hugh Irvine <[EMAIL PROTECTED]>
Subject: Re: Fwd: (RADIATOR) Username/Password hacking while using AuthBy SQL
Hi Hugh,
On Wed, 10 Dec 2003 10:12 am, Hugh Irvine wrote:
Morning Mikey -
Here is a further query regarding malicious characters in usernames and passwords affecting SQL logging.
in Log SQL, the SQL _quoted_ user name is available as %4. So if you use %4, I
would see no probs with username.
Cheers.
cheers
Hugh
Begin forwarded message:
From: Rodrigo Nuno Bragan�a da Cunha <[EMAIL PROTECTED]> Date: 9 December 2003 11:24:48 PM To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Username/Password hacking while using AuthBy SQL
Hugh Irvine wrote:
Hello Rodrigo -
You can use the UsernameCharset parameter to restrict the characters in the username.
See section 6.4.30 in the Radiator 3.7.1 reference manual.
As far as the password is concerned, this field is only read from the database and the comparison is done inside Radiator.
Well... it works, but is not enought. Won't work for SQL logging, for instance.
Also I need the password in the SQL query itself because there can be various active and valid sessions for the same username, and a query without password might return many valid sessions. So the password is exploitable also. Perhaps a "PasswordCharset" clause would work :-)
The Charset should apply to auth logging also, right?
I'm sending the configuration file. It works fine as is, except with malicious username/passwords ...
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
Here goes the trace, including the SQL syntax errors, witch could be exploited.
Thanks for the help!
Tue Dec 9 12:08:22 2003: DEBUG: Finished reading configuration file '/home/radius/Radiator-3.7.1/goodies/vpn3000-test00.cfg' Tue Dec 9 12:08:22 2003: DEBUG: Reading dictionary file '/home/radius/Radiator-3.7.1/dictionary' Tue Dec 9 12:08:22 2003: DEBUG: Creating authentication port 0.0.0.0:1645 Tue Dec 9 12:08:22 2003: DEBUG: Creating accounting port 0.0.0.0:1646 Tue Dec 9 12:08:22 2003: NOTICE: Server started: Radiator 3.7.1 on radius-vpn.vf-pt.internal.vodafone.com Tue Dec 9 12:08:25 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 32784 .... Code: Access-Request Identifier: 10 Authentic: 1234567890123456 Attributes: User-Name = "norte'gregwe" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = "123456789" Calling-Station-Id = "987654321" NAS-Port-Type = Async User-Password = "<158><238>-<202><216>;<4><246><188>8<9><160><216>}x<153>"
Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Dec 9 12:08:25 2003: INFO: Access rejected for norte'gregwe: Invalid character in User-Name Tue Dec 9 12:08:25 2003: DEBUG: do query is: 'INSERT INTO accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for username norte'gregwe' )':
DBD::mysql::db do failed: You have an error in your SQL syntax near 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219. Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for username norte'gregwe' )': You have an error in your SQL syntax near 'gregwe' )' at line 1 DBD::mysql::db do failed: You have an error in your SQL syntax near 'gregwe' )' at line 1 at Radius/SqlDb.pm line 219. Tue Dec 9 12:08:25 2003: ERR: do failed for 'INSERT INTO accountlog ( id, idsession, timestamp, authaccountQ, authsuccessQ, duration, comments ) VALUES ( 0, 0, unix_timestamp(), 0, 0, 0, 'Auth Failure for username norte'gregwe' )': You have an error in your SQL syntax near 'gregwe' )' at line 1 Tue Dec 9 12:08:25 2003: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 32784 .... Code: Access-Reject Identifier: 10 Authentic: 1234567890123456 Attributes: Reply-Message = "Request Denied"
Tue Dec 9 12:08:25 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 32784 .... Code: Accounting-Request Identifier: 11 Authentic: <201>T'<190><194><144><135>CW(<239><150>=~*m Attributes: User-Name = "norte'gregwe" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Start Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0
Tue Dec 9 12:08:25 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Tue Dec 9 12:08:30 2003: DEBUG: Packet dump: *** Received from 127.0.0.1 port 32784 .... Code: Accounting-Request Identifier: 12 Authentic: u|<216>d<156><134><5>x<236>w<220>A<238>P<240>f Attributes: User-Name = "norte'gregwe" Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = "00001234" Acct-Status-Type = Stop Called-Station-Id = "123456789" Calling-Station-Id = "987654321" Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 20000 Acct-Output-Octets = 30000
Tue Dec 9 12:08:30 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
# vpn3000 suppliers access, prototype configuration
Foreground LogStdout LogDir /home/radius/Radiator-3.7.1/logs DbDir /home/radius/Radiator-3.7.1 # User a lower trace level in production systems: Trace 4
# One of these for each NAS you want to work with <Client DEFAULT> Secret *********** DupInterval 0 </Client>
<AuthBy SQL> # {{{ Identifier auth_adsl_sql Identifier auth_sql_session
DBSource dbi:mysql:bd_remote:127.0.0.1 DBUsername ********** DBAuth **********
NoDefaultIfFound # nao procura user DEFAULT NoDefault # (nem que a vaca se tussa toda)
AuthSelect \ SELECT session.id, session.password \ FROM suppliers, session \ LEFT OUTER JOIN accountlog \ ON session.id = accountlog.idsession \ WHERE accountlog.idsession IS NULL AND \ session.timestamp > unix_timestamp()-1800 AND \ session.idsupplier = suppliers.id AND \ suppliers.nickname = '%U' AND \ session.password = '%P' ; AuthColumnDef 0,Class, reply AuthColumnDef 1,Password, check
# HandleAcctStatusTypes Start,Stop AcctSQLStatement INSERT INTO accountlog \ ( id, idsession, timestamp, authaccountQ, \ authsuccessQ, duration, comments ) \ VALUES \ ( 0, 0%{Class}, unix_timestamp(), 1, 0,\ 0%{Acct-Session-Time}, \ '%{Acct-Status-Type} Record for username %U' )
</AuthBy> # }}}
<Realm DEFAULT> PasswordLogFileName %L/password.log AuthByPolicy ContinueUntilAccept AuthBy auth_sql_session UsernameCharset a-zA-Z0-9
<AuthLog SQL>
DBSource dbi:mysql:bd_remote:127.0.0.1 DBUsername ********** DBAuth **********
LogSuccess 1 LogFailure 1
SuccessQuery INSERT INTO accountlog \ ( id, idsession, timestamp, authaccountQ, \ authsuccessQ, duration, comments ) \ VALUES \ ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 1, \ 0, 'Auth Sucess for username %U' );
FailureQuery INSERT INTO accountlog \ ( id, idsession, timestamp, authaccountQ, \ authsuccessQ, duration, comments ) \ VALUES \ ( 0, 0%{Reply:Class}, unix_timestamp(), 0, 0, \ 0, 'Auth Failure for username %U' )
</AuthLog> AcctLogFileName %D/detail </Realm>
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
