I've identified a couple of security flaws affecting the TekRADIUS radius
server for Windows which may allow privilege escalation. These issues were
reported by email to the vendor and have I believe been resolved.
Tim
--
Tim Brown
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nth Dimension Security Advisory (NDSA20090412)
Date: 12th April 2009
Author: Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: TekRADIUS 3.0 <http://www.tekradius.com/>
Vendor: Yasin KAPLAN <http://www.yasinkaplan.com/>
Risk: Medium
Summary
This advisory comes in 3 related parts:
1) By default, TekRADIUS connects to SQL Server as the sa (or equivelent) account, this is to allow it to create its database.
2) The TekRADIUS database credentials are stored in obfuscated form, but the file itself is accessible by any Windows user.
3) TekRADIUS comes with GUI and command line clients. These do not sanitise all input satisfactorily. This can lead to SQL injection allowing compromise of the database server and privilege escalation at the Windows level.
Technical Details
1) In the event that TekRADIUS is configured to use the sa (or equivelent) account in order to access its database after initial creation, then any failure to correctly satitise input, which results in SQL injection may allow an attacker privileged access to the database server.
2) TekRADIUS stores the database credentials in C:\Program Files\TekRADIUS\TekRADIUS.ini.
As we can see below, this file is accessible by any local Windows user including all members of the Users group:
C:\Program Files\TekRADIUS>cacls TekRADIUS.ini
C:\Program Files\TekRADIUS\TekRADIUS.ini BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\TERMINAL SERVER USER:C
This happens even when we change the default install option and opt only to install TekRADIUS for the current Windows user, and appears to be by design as we discuss later. Note that the credentials are obfuscated with the intention of preventing direct database access.
3) TekRADIUS is intended to be managed using either a GUI or command line client. In both cases, non-privileged Windows users are only presented with limited functionality designed to prevent certain changes being made.
However, this is not entirely successful due to insufficient input santisation which can lead to SQL injection.
When the GUI is opened by a non-privileged user, they are presented with a window containing 3 tabs, one of which is the "Users" tab. Within this is a "Browse Users" text box. Injecting the following string in to this text box:
' union select system_user,@@version;--
Results in a table being returned containing the results as queried.
Whilst the command line client correctly sanitises most input, in one case this is not the case and it is therefore possible to inject arbitrary SQL in to queries made to the database server. For example:
C:\Program Files\TekRADIUS>trcli -r "'; exec master.dbo.sp_configure 'show advanced options', 1; reconfigure; exec master.dbo.sp_configure 'xp_cmdshell', 1; reconfigure; exec master.dbo.xp_cmdshell 'ping www.nth-dimension.org.uk'--"
This injects the neccessary SQL calls to reenable xp_cmdshell (neccessary on
SQL Server 2005) and execute "ping www.nth-dimension.org.uk".
Solutions
Unfortunately, Nth Dimension are unware of any fixes for these issues at the current time. The vendor was contacted on the 13th April 2009 and immediately responded. The vendor provided a private patch that partially resolved the issue and Nth Dimension gave feedback outlining further issues with SQL injection into the GUI and suggesting parameterised queries. Nth Dimension also made suggestions around the installation routine to resolve the file
permission issues. Nth Dimension are not aware that the patch or the additional feedback has been included in to the public product and no further emails have been received. We would recommend that access to TekRADIUS.ini is revoked for untrusted users, and that TekRADIUS is reconfigured to use a non-privileged database account.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBAgAGBQJKUUSgAAoJEPJhpTVyySo7fJ0QAJesL6krHe6y/4uiCBeZTJ3b
ytt+nMHLo5urA1M8Y13H+C67D1Jopcw7VoTlcTJEDBXd0KFMPO1IlztKQQCs1G3P
DQ7OrRDf/8GCca+BY8dFWYC82QgRVRO/zQzWqxPsh9gMZ2qJYYbzF1fpkRxs/yT7
JzuD8eTDN2bth0EUhCgPd2LzP/qUDRZ98r254/Ml4DMo2Gg/iFZEkl2vHMnVwK8i
wErIrNo7Z/kFoQOx1GOwZNjZh+ZnidQlU4Lj98sire+Ly4JryELUAkck0NjpA2TV
Q9kaw+2ib/U8OO3Hk00HxN+MXedT3fqVyIB2um5n5dVBnTC0EnU94qjEGlanHDuP
StVseruE43cW01ye5nDmB3hBuun4JnRe5IHl9ljU6r8uFIuHdoiODd2Pg/um7L5E
gTFyC57TQXwK2Ux4nG0hS5QmhudXbOrcN0yWad88qR0WfpTysRft10mXqm8nBGoE
nbfUKlneR9QN3bRzFeiDjM8v1dfCRFgJUovVAY2E4+RmcEGXfoCU01bPbs/JxroQ
0htkv586rVePJiGne0zQxOHc+e8cDn5urggAPtqGqEzTYknzQzD0zxjmE3CICGr4
AwHG7slghOSxQuUvL1CCqnTrvZ8+L8M86/loiCOElFT5YnDAwqgTpd1QM+8qyAUo
4JAGK/YRJDZYYQ8uUDPN
=ZC+P
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAABAgAGBQJKUUrDAAoJEPJhpTVyySo7H8cP/33M39oTOnYmijX342yRmEjl
rmQ06tTqZcrVlgnhjPGmUg08N/b3h0DDl3Dh6YHHjO3zQFZXgU+XJ2YFmPnELei4
GV0buRCaheOIgpmhEnuKxloQ5Xi4cSA0CEkRXXguXtlfoEqOkJ3EIj+aGlaNXv2V
/vQewX0J6DOT7JxQFKEv0mSLljOvrraaPB9hVtvSsng+lRzSvVM2XPJytqsVHuH0
icAT4hIhs74Yhq1DANVnl96VAW6GkXxU/5P+Yy1CHaBPj/uzM86dJ+Aj7kppBmXP
d4QF4NbM0msDlyoMirqVkniTHaN30B0aQBEa4RyfIrlAYPQon9AJMupf1KWnEnC/
jRUTpaT+xS1IidvvVrgRR0wtAfu0zJWO9JXnK4xSp/fv6VZ1/PxrsNWPbyyZ5mXf
UTZY9C9vUATSGIm1eOtPeW82SNHTsplJETzFEX6CXaQHJrdaLCKK/PwKdvORTguz
Nx6l/W4eRm6ha0n589srT/8wFez28+6g3DnQKVHTznM/dnXHqj1R5ok6cr5f+RYe
JLkUktSZyHlbJhCGVcI6LQ656bzNlzQZ5JhMLDGK61VDTelVn/Bd1xfkheSSafM1
T27gqxFoZUCjHYTSeU2MgaYuocycNT71coqP2v7d9W9bflUD0auA9KlYJrxFu22l
ftSR1eSi0SknFYIc+xja
=VV8f
-----END PGP SIGNATURE-----