'Radiusd DOS Attacks Possible'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Radiusd DOS Attacks Possible
From:       Kit Knox <kit () connectnet ! com>
Date:       1996-08-24 12:32:00
[Download RAW message or body]

Radiusd security announcment.

Summary : Denial of service attack possible by sending garbage UDP data to
radius daemon port used for authentication of users by livingston
portmasters and ascend max's.  Your inode tables may also be filled up by
a user spoofing source address's of UDP accounting packets. (Code for this
is very trivial)  By default behavior the daemon calls mkdir() every time it
receives an accounting packet (gross!).  At the bottom you will find an
optional patch that disables this behavior requring you to make the
directories on your OWN first.

There are numerous memory issues in radiusd that I simply don't have time to
fix, however this simple patch will prevent denial of service attacks where
an attacker can send garbage UDP data to your radius daemon port causing it
to malloc and never free memory for each packet, eventually crashing the
radius daemon.  This should be considered an emergency patch.

Here is a simple diff for the memory leak in the latest ascend radiusd
(radius-960528).

*** radiusd.c   Wed Jun 26 11:58:43 1996
--- new/radiusd.c       Sat Aug 24 12:23:03 1996
***************
*** 1013,1018 ****
--- 1013,1019 ----
                break;

        default:
+               free(authreq);
                break;
        }
        return(0);

Here is the optional mkdir() patch.

*** acct.c      Wed May 22 13:24:20 1996
--- new/acct.c  Sat Aug 24 12:31:32 1996
***************
*** 76,84 ****
        /*
         * Create a directory for this client.
         */
        sprintf(buffer, "%s/%s", radacct_dir, clientname);
        mkdir(buffer, 0755);
!
        /*
         * Write Detail file.
         */
--- 76,85 ----
        /*
         * Create a directory for this client.
         */
+ #ifdef USE_GROSS_MKDIR
        sprintf(buffer, "%s/%s", radacct_dir, clientname);
        mkdir(buffer, 0755);
! #endif
        /*
         * Write Detail file.
         */

 ========================================================================
Kit Knox - <kit@connectnet.com> - System Administrator
CONNETnet INS, Inc. - 6370 Lusk Blvd Ste F#208 - San Diego, CA 92121
(619) 638-2020 - (619) 638-2024 Voicemail/Pager - (619) 450-3216 FAX
 ========================================================================

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic