From proff Sun Aug 25 17:17:42 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id RAA30470 for best-of-security; Sun, 25 Aug 1996 17:17:42 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id QAA27154 for ; Sun, 25 Aug 1996 16:29:11 +1000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23680-15241>; Sun, 25 Aug 1996 02:26:52 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id CAA19047; Sun, 25 Aug 1996 02:27:34 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 294813 for BUGTRAQ@NETSPACE.ORG; Sun, 25 Aug 1996 02:10:43 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id CAA17348 for ; Sun, 25 Aug 1996 02:04:09 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from irc.connectnet.com (irc.connectnet.com [207.110.0.52]) by netspace.org (8.7/8.6.12) with ESMTP id PAA23042 for ; Sat, 24 Aug 1996 15:42:37 -0400 Received: from localhost (kit@localhost) by irc.connectnet.com (8.7.5/8.6.9) with SMTP id MAA20227; Sat, 24 Aug 1996 12:32:00 -0700 X-Authentication-Warning: irc.connectnet.com: kit owned process doing -bs MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: Kit Knox Message-ID: Date: Sat, 24 Aug 1996 12:32:00 -0700 Reply-To: Bugtraq List Sender: proff From: Kit Knox Subject: Radiusd DOS Attacks Possible X-cc: marc@ASCEND.COM, cdr@livingston.com, acr@merit.edu, Bill.Simpson@um.cc.umich.edu, steve@livingston.com, jon@connectnet.com, support@ASCEND.COM To: Multiple recipients of list BUGTRAQ Radiusd security announcment. Summary : Denial of service attack possible by sending garbage UDP data to radius daemon port used for authentication of users by livingston portmasters and ascend max's. Your inode tables may also be filled up by a user spoofing source address's of UDP accounting packets. (Code for this is very trivial) By default behavior the daemon calls mkdir() every time it receives an accounting packet (gross!). At the bottom you will find an optional patch that disables this behavior requring you to make the directories on your OWN first. There are numerous memory issues in radiusd that I simply don't have time to fix, however this simple patch will prevent denial of service attacks where an attacker can send garbage UDP data to your radius daemon port causing it to malloc and never free memory for each packet, eventually crashing the radius daemon. This should be considered an emergency patch. Here is a simple diff for the memory leak in the latest ascend radiusd (radius-960528). *** radiusd.c Wed Jun 26 11:58:43 1996 --- new/radiusd.c Sat Aug 24 12:23:03 1996 *************** *** 1013,1018 **** --- 1013,1019 ---- break; default: + free(authreq); break; } return(0); Here is the optional mkdir() patch. *** acct.c Wed May 22 13:24:20 1996 --- new/acct.c Sat Aug 24 12:31:32 1996 *************** *** 76,84 **** /* * Create a directory for this client. */ sprintf(buffer, "%s/%s", radacct_dir, clientname); mkdir(buffer, 0755); ! /* * Write Detail file. */ --- 76,85 ---- /* * Create a directory for this client. */ + #ifdef USE_GROSS_MKDIR sprintf(buffer, "%s/%s", radacct_dir, clientname); mkdir(buffer, 0755); ! #endif /* * Write Detail file. */ ========================================================================= Kit Knox - - System Administrator CONNETnet INS, Inc. - 6370 Lusk Blvd Ste F#208 - San Diego, CA 92121 (619) 638-2020 - (619) 638-2024 Voicemail/Pager - (619) 450-3216 FAX =========================================================================