Bugtraq mailing list archives
Re: More problems with RADIUS (protocol and implementations)
From: Miquel van Smoorenburg <miquels () cistron nl>
Date: Tue, 13 Nov 2001 16:53:28 +0100
According to 3APA3A:
2. RFC 2865 requires unpredictability of authenticator value in Authentication Request packet. Many RADIUS servers and client libraries implementations do not follow it. Many of them have code like srand(time(0) + getpid()) (or even srand(time(0)) + rand(). As you know, the number of rand() states is very limited and it's easy to predict the state of PRNG. It opens possibility to spoof NAS Authentication Request. For example Cistron RADIUS has this flow in proxy module. Many RADIUS client libraries also have this flow.
In the 1.6.5 snapshot of Cistron Radius, soon the be the real 1.6.5, this has been fixed for Linux by using /dev/urandom to seed the random generator.
3. Most of current freeware RADIUS server implementations (and some of commerce ones) are derived from Cistron. And most of them (including Cistron itself) have buffer overflow in digest calculation (in case of Cistron itself it's static data overflow in calc_acctdigest() function).
Also fixed in the 1.6.5 snapshot. That is the snapshot of tonight ;) Mike. -- "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former" -- Albert Einstein.
Current thread:
- More problems with RADIUS (protocol and implementations) 3APA3A (Nov 13)
- Re: More problems with RADIUS (protocol and implementations) aland (Nov 13)
- Re: More problems with RADIUS (protocol and implementations) Joshua Hill (Nov 13)
- Re: More problems with RADIUS (protocol and implementations) Miquel van Smoorenburg (Nov 13)
- Re: More problems with RADIUS (protocol and implementations) aland (Nov 13)