Home page logo

bugtraq logo Bugtraq mailing list archives

Re: More problems with RADIUS (protocol and implementations)
From: Miquel van Smoorenburg <miquels () cistron nl>
Date: Tue, 13 Nov 2001 16:53:28 +0100

According to 3APA3A:
2.   RFC  2865  requires  unpredictability  of  authenticator  value  in
Authentication  Request packet. Many RADIUS servers and client libraries
implementations   do  not  follow  it.  Many  of  them  have  code  like
srand(time(0) + getpid()) (or even srand(time(0)) + rand(). As you know,
the number of rand() states is very limited and it's easy to predict the
state of PRNG. It opens possibility to spoof NAS Authentication Request.
For  example  Cistron  RADIUS has this flow in proxy module. Many RADIUS
client libraries also have this flow.

In the 1.6.5 snapshot of Cistron Radius, soon the be the real 1.6.5,
this has been fixed for Linux by using /dev/urandom to seed the
random generator.

3.  Most  of current freeware RADIUS server implementations (and some of
commerce  ones)  are  derived  from Cistron. And most of them (including
Cistron  itself)  have buffer overflow in digest calculation (in case of
Cistron itself it's static data overflow in calc_acctdigest() function).

Also fixed in the 1.6.5 snapshot. That is the snapshot of tonight ;)

"Only two things are infinite, the universe and human stupidity,
 and I'm not sure about the former" -- Albert Einstein.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]