Security issue?
Some time ago, I submitted the below security issue, and I wanted to know when the next release was due that (hopefully) fixed the issue(!?!?) -Ben If I know a valid password for any account, I can get in with a username of *, and the valid password. Passwords appear to be properly handled, usernames are apparently not being escaped by the rlm_ldap module. (as of 0.8.1) Anytime more than one user has the same password, this hole does not work. (so it's properly checking for multiple query returns) -Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Portslave-users] Security issue; non case sensitivity in MySql
Hello Robert, Sunday, February 9, 2003, 9:55:20 PM, you wrote: RC Let say I have a username of rcanary. The account is created on the RC radius (MySql DB) as UserName=rcanary RC Now lets say I try to dialin (using portslave here in this case). I RC mistype the username as *R*canary instead of *r*canary. RC The RAS is case sensitive. However, radius is allowing the Rcanary and RC rcanary. This results with the user being logged in as canary because RC portslave will drop the R. Look at the config of your radius server. I think it uses capital R as hint for service type and then drops R. That is not issue at all. That is misconfiguration of your radius server. -- Best regards, Nicholasmailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security issue; non case sensitivity in MySql
Robert Canary [EMAIL PROTECTED] wrote: Now lets say I try to dialin (using portslave here in this case). I mistype the username as *R*canary instead of *r*canary. The RAS is case sensitive. However, radius is allowing the Rcanary and rcanary. So run the server in debugging mode, to see which parts of which configuration files are being used... look at those configuration files to see what's going on. Incidentally, the user name comparison in the 'users' file and in rlm_sql is case sensitive. This results with the user being logged in as canary because portslave will drop the R. So configure portslave to NOT drop the R... If I have two usernames which differ only by the first letter (rcanary and canary) if rcanary user logs in with a capital letter then they will be granted access to the other users files. So fix your configuration to not do that... Other than trying to control username similarity when usernames are created, anyone have an idea how to control this? PS. Since this invloves PortSlave and freeradius and a security problem. I doubled posted this on both mail-list. You've either misconfigured portslave, or radiusd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security issue; non case sensitivity in MySql
When mysql is queried for that password aginst that username (regardless of case) it returns a match because MySql isn't case sensitive. Thats something which should be boldly noted in the dos. Now here is the odd thing I noticed. PPPD logs the the user as Rcanary as being logged on, However, utmps and priveldges the user as canary. I can't get enough debug logging going on the portslave machine to see what happening. If radius is told not to strip the R we still have a tiny problem with the mysql circumventing case sensitivity. (well more like something one needs to be aware of). However, MySql will do a STRCMP (String Compare). So I went into the sql.conf file to change the query strings. However, I found that the author had already include the case sensitive query, but it was commented-out. Alan DeKok wrote: Robert Canary [EMAIL PROTECTED] wrote: Now lets say I try to dialin (using portslave here in this case). I mistype the username as *R*canary instead of *r*canary. The RAS is case sensitive. However, radius is allowing the Rcanary and rcanary. So run the server in debugging mode, to see which parts of which configuration files are being used... look at those configuration files to see what's going on. Incidentally, the user name comparison in the 'users' file and in rlm_sql is case sensitive. This results with the user being logged in as canary because portslave will drop the R. So configure portslave to NOT drop the R... If I have two usernames which differ only by the first letter (rcanary and canary) if rcanary user logs in with a capital letter then they will be granted access to the other users files. So fix your configuration to not do that... Other than trying to control username similarity when usernames are created, anyone have an idea how to control this? PS. Since this invloves PortSlave and freeradius and a security problem. I doubled posted this on both mail-list. You've either misconfigured portslave, or radiusd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security issue; non case sensitivity in MySql
Robert Canary [EMAIL PROTECTED] wrote: Now here is the odd thing I noticed. PPPD logs the the user as Rcanary as being logged on, However, utmps and priveldges the user as canary. Then either PPPd or the RADIUS server is stripping off the leading 'R'. The server doesn't do it unless you edited the configs, so I would guess PPPd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Portslave-users] Security issue; non case sensitivity in MySql
On Sun, 9 Feb 2003 19:55, Robert Canary wrote: Let say I have a username of rcanary. The account is created on the radius (MySql DB) as UserName=rcanary Now lets say I try to dialin (using portslave here in this case). I mistype the username as *R*canary instead of *r*canary. The RAS is case sensitive. However, radius is allowing the Rcanary and rcanary. This results with the user being logged in as canary because portslave will drop the R. I can't reproduce this. Portslave only drops the first character if it is one of 'P', 'C', 'S', 'L', or '!'. If I have two usernames which differ only by the first letter (rcanary and canary) if rcanary user logs in with a capital letter then they will be granted access to the other users files. If the two users have the same password then this sort of thing can happen. How can it happen otherwise? Anyway is anyone using this feature? Maybe it would be generally less confusing if I just removed the feature of using prefixes and suffixes for indicating service type and just let this be handled by the RADIUS server. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security issue; non case sensitivity in MySql
On Mon, Feb 10, 2003 at 10:19:22AM -0600, Robert Canary wrote: When mysql is queried for that password aginst that username (regardless of case) it returns a match because MySql isn't case sensitive. Thats something which should be boldly noted in the dos. Not necessarily. MySql isn't case sensitive because that's how you've configured it by choosing particular field types that are case-insensitive... Search the mysql manual for case insensitive by default -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Security issue; non case sensitivity in MySql
Let say I have a username of rcanary. The account is created on the radius (MySql DB) as UserName=rcanary Now lets say I try to dialin (using portslave here in this case). I mistype the username as *R*canary instead of *r*canary. The RAS is case sensitive. However, radius is allowing the Rcanary and rcanary. This results with the user being logged in as canary because portslave will drop the R. If I have two usernames which differ only by the first letter (rcanary and canary) if rcanary user logs in with a capital letter then they will be granted access to the other users files. Other than trying to control username similarity when usernames are created, anyone have an idea how to control this? PS. Since this invloves PortSlave and freeradius and a security problem. I doubled posted this on both mail-list. -- robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
