-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nth Dimension Security Advisory (NDSA20090412) Date: 12th April 2009 Author: Tim Brown URL: / Product: TekRADIUS 3.0 Vendor: Yasin KAPLAN Risk: Medium Summary This advisory comes in 3 related parts: 1) By default, TekRADIUS connects to SQL Server as the sa (or equivelent) account, this is to allow it to create its database. 2) The TekRADIUS database credentials are stored in obfuscated form, but the file itself is accessible by any Windows user. 3) TekRADIUS comes with GUI and command line clients. These do not sanitise all input satisfactorily. This can lead to SQL injection allowing compromise of the database server and privilege escalation at the Windows level. Technical Details 1) In the event that TekRADIUS is configured to use the sa (or equivelent) account in order to access its database after initial creation, then any failure to correctly satitise input, which results in SQL injection may allow an attacker privileged access to the database server. 2) TekRADIUS stores the database credentials in C:\Program Files\TekRADIUS\TekRADIUS.ini. As we can see below, this file is accessible by any local Windows user including all members of the Users group: C:\Program Files\TekRADIUS>cacls TekRADIUS.ini C:\Program Files\TekRADIUS\TekRADIUS.ini BUILTIN\Users:R BUILTIN\Power Users:C BUILTIN\Administrators:F NT AUTHORITY\SYSTEM:F NT AUTHORITY\TERMINAL SERVER USER:C This happens even when we change the default install option and opt only to install TekRADIUS for the current Windows user, and appears to be by design as we discuss later. Note that the credentials are obfuscated with the intention of preventing direct database access. 3) TekRADIUS is intended to be managed using either a GUI or command line client. In both cases, non-privileged Windows users are only presented with limited functionality designed to prevent certain changes being made. However, this is not entirely successful due to insufficient input santisation which can lead to SQL injection. When the GUI is opened by a non-privileged user, they are presented with a window containing 3 tabs, one of which is the "Users" tab. Within this is a "Browse Users" text box. Injecting the following string in to this text box: ' union select system_user,@@version;-- Results in a table being returned containing the results as queried. Whilst the command line client correctly sanitises most input, in one case this is not the case and it is therefore possible to inject arbitrary SQL in to queries made to the database server. For example: C:\Program Files\TekRADIUS>trcli -r "'; exec master.dbo.sp_configure 'show advanced options', 1; reconfigure; exec master.dbo.sp_configure 'xp_cmdshell', 1; reconfigure; exec master.dbo.xp_cmdshell 'ping www.nth-dimension.org.uk'--" This injects the neccessary SQL calls to reenable xp_cmdshell (neccessary on SQL Server 2005) and execute "ping www.nth-dimension.org.uk". Solutions Unfortunately, Nth Dimension are unware of any fixes for these issues at the current time. The vendor was contacted on the 13th April 2009 and immediately responded. The vendor provided a private patch that partially resolved the issue and Nth Dimension gave feedback outlining further issues with SQL injection into the GUI and suggesting parameterised queries. Nth Dimension also made suggestions around the installation routine to resolve the file permission issues. Nth Dimension are not aware that the patch or the additional feedback has been included in to the public product and no further emails have been received. We would recommend that access to TekRADIUS.ini is revoked for untrusted users, and that TekRADIUS is reconfigured to use a non-privileged database account. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBAgAGBQJKUUSgAAoJEPJhpTVyySo7fJ0QAJesL6krHe6y/4uiCBeZTJ3b ytt+nMHLo5urA1M8Y13H+C67D1Jopcw7VoTlcTJEDBXd0KFMPO1IlztKQQCs1G3P DQ7OrRDf/8GCca+BY8dFWYC82QgRVRO/zQzWqxPsh9gMZ2qJYYbzF1fpkRxs/yT7 JzuD8eTDN2bth0EUhCgPd2LzP/qUDRZ98r254/Ml4DMo2Gg/iFZEkl2vHMnVwK8i wErIrNo7Z/kFoQOx1GOwZNjZh+ZnidQlU4Lj98sire+Ly4JryELUAkck0NjpA2TV Q9kaw+2ib/U8OO3Hk00HxN+MXedT3fqVyIB2um5n5dVBnTC0EnU94qjEGlanHDuP StVseruE43cW01ye5nDmB3hBuun4JnRe5IHl9ljU6r8uFIuHdoiODd2Pg/um7L5E gTFyC57TQXwK2Ux4nG0hS5QmhudXbOrcN0yWad88qR0WfpTysRft10mXqm8nBGoE nbfUKlneR9QN3bRzFeiDjM8v1dfCRFgJUovVAY2E4+RmcEGXfoCU01bPbs/JxroQ 0htkv586rVePJiGne0zQxOHc+e8cDn5urggAPtqGqEzTYknzQzD0zxjmE3CICGr4 AwHG7slghOSxQuUvL1CCqnTrvZ8+L8M86/loiCOElFT5YnDAwqgTpd1QM+8qyAUo 4JAGK/YRJDZYYQ8uUDPN =ZC+P -----END PGP SIGNATURE-----