When using radius authentication on OpenBSD it is possible to login on the OpenBSD when traffic from the radius-server can be spoofed. Since radius uses UDP, this is not hard to do. Radius authentication is not enabled by default on OpenBSD.
When connecting to an OpenBSD machine that does radius authentication when configured in /etc/login.conf (see man(5) login.conf and man(8) login_radius), the OpenBSD machine will ask for userid and password. This userid and password is sent to the radius server. The radius-server will respond with either an 'REJECT' or 'ACCEPT'. More information on the protocol can be found in RfC 2865.
* OpenBSD version 3.2
* OpenBSD version 3.5
* OpenBSD version 3.6
From this RfC, Chapter 7.1:
The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named nemo logging in on port 3 with password "arctangent".
The Request Authenticator is a 16 octet random number generated by the NAS.
The User-Password is 16 octets of password padded at end with nulls, XORed with MD5(shared secret|Request Authenticator).
Since the Response Authenticator in the reply uses ther Request Authenticator from the request, the client must be able to verify the 'origin', it should have a corresponding request pending.
This is where it fails. Eilko Bos used the following setup:
[--- LAN ----------------------------------------------------------]
| | |
| | OpenBSD | Radius-
[ ] client [ ] server [ ] Server
10.10.1.3 10.10.1.2 10.10.1.1
Step 1-3 is preparation phase.
1) Setup an environment where radius login is used and that you control.
2) Login via radius, sniff the packets and save the 'ACCEPT' packet.
3) Transform the 'ACCEPT'-packet data so it can be used by e.g. socat or hping.
4) From the client, login to the OpenBSD server. The OpenBSD server will send a REQUEST to the radius-server, and awaits an answer. You can either use arp-spoofing to let the OpenBSD server think another machine you have control of is the radius-server (assuming local network) or you must use a perfect timing, spoofing a packet w/ the correct source- and dest. portnumbers
5) You can either use arp-spoofing to let the OpenBSD server think another machine you have control of is the radius-server (assuming local network) or you must use a perfect timing, spoofing a packet w/ the correct source- and dest. portnumbers. Send the ACCEPT packet. This can be done w/ e.g. socat or hping. OpenBSD will use the ACCEPT-packet and grant login.
In the above scenario's, you don't need to know the shared secret (as you would have to when setting up another radius-server) nor the password of the account you use for logging in.
Sample messages from not-vulnerable systems:
With FreeBSD 5.2.1, the following message is logged: Aug 31 11:40:39 server login: rad_send_request: No valid RADIUS responses received
With Fedora Core2/pam_radius_auth.so (http://www.freeradius.org/pam_radius_auth/) the following message is logged: 10.10.1.1 fails verification: The shared secret is probably incorrect.
10-09-2004 Informed the OpenBSD crew at 21:19 CEST
11-09-2004 Received patch at 02:30 CEST