-----BEGIN PGP SIGNED MESSAGE-----


===========================================================================
              AUSCERT External Security Bulletin Redistribution

                             
                     ESB-97.165 -- SNI-22: RADIUS Advisory
     Remote Vulnerability in RADIUS Servers Derived from Livingston 1.16

                              18 December 1997

===========================================================================

Secure Networks Inc. has released the following security advisory
describing a vulnerability in RADIUS server software derived from
Livingston RADIUS 1.x.  This vulnerability may allow remote attackers to
gain extended access to the authentication server.

The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when the original bulletin is.  If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.

Contact information for SNI is included in the Security Bulletin
below.  If you have any questions or need further information, please
contact them directly. 

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/information/advisories.html

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AUSCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.
Facsimile:      (07) 3365 7031


- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

                        ######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                             December 17, 1997

    Remote Vulnerability in RADIUS Servers Derived from Livingston 1.16.


This advisory details vulnerabilities in RADIUS server software derived
from Livingston RADIUS 1.x allow remote attacks to gain extended access
to the authentication server.  In many installations of RADIUS,
exploitation of this vulnerability will allow an intruder to remotely
obtain superuser access to the machine running the RADIUS server.  In
all cases, the extended access gained allows an attacker to subvert
RADIUS authentication.

This vulnerability was discovered in Livingston RADIUS 1.16, a popular
publically-available RADIUS server implementation.  Another popular
RADIUS implementation is provided by Ascend Communications; Ascend
RADIUS, based on the Livingston 1.16 implementation, is very similar
to the Livingston code and shares the same bugs.

Merit RADIUS was not determined to be vulnerable to the specific problem
outlined in detail in this document.  However, Merit RADIUS has not
been audited and Secure Networks Inc. makes no assertions as to it's
security.


Problem Description:
~~~~~~~~~~~~~~~~~~~~

An exploitable stack overrun is present in the RADIUS accounting code in
Livingston RADIUS 1.16. The problem occurs as a result of inverse
resolution of IP addresses to hostnames; the accounting routine
rad_accounting() copies the resolved hostname to a buffer on it's stack,
without checking the length of the hostname first.

As a result of this bug, an attacker that controls the DNS server for any
IP address can configure the records for that address to resolve to a
name too large for the RADIUS server's buffer; the characters in the
hostname, which overwrites the server's stack, can contain machine
code that the server will be forced to execute.

It is important to note that the RADIUS server request authentication
(which, in some cases, involves packet signatures with keyed MD5 hashes)
does not prevent this attack.  The source IP address on RADIUS accounting
requests is not checked by the server code before the error occurs.

It is also important to note that this is not the only point in the RADIUS
code where hostname resolution can be exploited to subvert the server;
unchecked string copies are common throughout the RADIUS code.  Livingston
has integrated a series of patches (written by SNI) to address this
problem.  See the 'Fix Resolution' section.


Vulnerable Systems:
~~~~~~~~~~~~~~~~~~~

All RADIUS servers based off of Livingston's 1.16 RADIUS server.
Livingston RADIUS servers 2.0, 2.0.1 are not vulnerable.


Fix Resolution:
~~~~~~~~~~~~~~~
As mentioned earlier, Livinsgston's RADIUS 2.0, 2.0.1 are not vulnerable
to this problem.  Any Livingston customer may upgrade to 2.0.1 at:

http://www.livingston.com/Forms/radiusform.cgi

RADIUS 1.16.1 with SNI patches is also available at:

ftp://ftp.livingston.com/pub/le/radius/radius-1.16.1.tar.Z

Ascend could not be contacted for an approved fix.  As the source
code for Ascend RADIUS is freely available, an attempt has been made
to correct all obvious stack overruns in the code; Ascend has in no
way examined or approved these fixes.

You may obtain this patchfile at:

ftp://ftp.secnet.com/pub/patches/radius.patch

As this advisory involves a general problem with the RADIUS source code,
we advise organizations running RADIUS servers to contact their vendor to
confirm the vulnerability status of their RADIUS server.


Additional Information
~~~~~~~~~~~~~~~~~~~~~~

Secure Networks, Inc. would like to thank Brian Mitchell for his
original notification to the security community regarding problems in
the Livingston RADIUS code.  SNI would also like to thank Carl Rigney
of Livingston for his attention to this matter.

For more information regarding this advisory, contact Secure Networks
Inc. as <sni@secnet.com>.  A PGP public key is provided below if
privacy is required.

Type Bits/KeyID    Date       User ID
pub  1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
                              Secure Networks <security@secnet.com>

- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
- - -----END PGP PUBLIC KEY BLOCK-----

Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

 You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
 and advisories at ftp://ftp.secnet.com/advisories

 You can browse our web site at http://www.secnet.com

 You can subscribe to our security advisory mailing list by sending mail to
 majordomo@secnet.com with the line "subscribe sni-advisories"

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCUAwUBNJgc67gIhFKeVQANAQFP3QP4olaaL2eWY+H9iZkPv/p+JikfR75mtOmI
jXYcv4bgg9lYu3TFS/QoA91b8TYIcLyfTFWiAtEbTNAIvi76ofw9SFwP4J7YRqSf
eQzrQXbyqW4WYJtk3pRm7aGQ3+X6o3Erq3anUJ8pJyE4e5A7qmYZKp9vSECHmoPV
I1ys8i7zvg==
=MFnD
- -----END PGP SIGNATURE-----


- --------------------------END INCLUDED TEXT--------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNJjywSh9+71yA2DNAQHhMQP7BTZzxMfeEVntA5axczi6Mc+GzEK5+Hsv
wM5vQXPfNfLVFGVfXrtfgTLOJQkm1m3dBnEwbynl1FwlEUKRZOldTqE9gcWpb7jb
9/YlkEmwW3EmDbvjk9ZON6ih6oRt8h/Uq7C0WRfaxsyeG3g0v1qPf0agMQ7+dICX
wJvaaxuEOaI=
=buTx
-----END PGP SIGNATURE-----