COMMAND

    radius

SYSTEMS AFFECTED

    Systems using radius

PROBLEM

    Following issue popped up  while radius #3 vulnerability  (on this
    page) was active.  If you enter a vaild username and then enter an
    appromiately  128  character  long  password  it  will lock up the
    authentication.  Reports are saying of no one being able to log in
    on tested dialup system.  This bug is known as 'magic 128.'

    Most, if  not all,  versions of  radius, be  it Livingston, Merit,
    RadiusNT, whatever, will  choke HORRIBLY if  any entered field  is
    over 128 characters.  At radius.h in the original Livingston  code
    you'll see:

        #define AUTH_STRING_LEN         128     /* maximum of 254 */

    AUTH_STRING_LEN is  used to  size strvalue  in struct  value_pair.
    It's used like this in radiusd.c:

                            case PW_TYPE_STRING:
                                    memcpy(pair->strvalue, ptr, attrlen);

    attrlen is calculated as:

                    u_char          *ptr;
                    ...
                    attrlen = *ptr++;
                    if(attrlen < 2) {
                            length = 0;
                            continue;
                    }
                    attrlen -= 2;

    Ok, so with this code the max is actually 253.  Ok, copy 253 bytes
    into a 128 byte array and see what happens.

SOLUTION

    The problem can be resolved  by killing and restarting the  radius
    daemon.  This  was fixed this  for the Ascend  version, perhaps as
    early as late '94 by Marco S. Hyman.