OpenDirectory Authentication memory corruption

Alan DeKok aland at deployingradius.com
Mon May 25 14:48:09 CEST 2020 

On May 25, 2020, at 6:36 AM, Carsten Kirschner via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Hello, i wrote ​on 15.01.2020 17:50 about our Freeradius problems, now we tested it anew with a new version of Freeradius (3.0.21).
> 
> And i have the strong suspicion that the opendirectory module has a memory coruption bug. It would explain why some Auths woks, and others print in the shortUserName debug print some garbage. And i hat also a segmentation Fault of freeradius in debug mode and multiple other occurences in the system log:

  That's not good.

> May 25 08:54:00 server com.apple.xpc.launchd[1] (org.freeradius.radiusd[54628]): Service exited due to SIGSEGV | sent by exc handler[54628]
> May 25 08:54:05 server com.apple.xpc.launchd[1] (org.freeradius.radiusd[61018]): Service exited due to SIGSEGV | sent by exc handler[61018]
> May 25 08:54:05 server com.apple.xpc.launchd[1] (org.freeradius.radiusd): Service only ran for 5 seconds. Pushing respawn out by 5 seconds.
> May 25 08:54:19 server com.apple.xpc.launchd[1] (org.freeradius.radiusd[61021]): Service exited due to SIGSEGV | sent by exc handler[61021]
> May 25 08:54:19 server com.apple.xpc.launchd[1] (org.freeradius.radiusd): Service only ran for 9 seconds. Pushing respawn out by 1 seconds.
> and more ...
> 
> At the end is an example Crashreport, all crash reports Crash at getUserNodeRef in rlm_mschap.dylib.

  Is it possible to get line numbers?

> And after that a full radiusd -X output.

  Which doesn't show it receiving packets... but whatever.

> Request Examples:
> (6) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (6) mschap: No NT-Password configured. Trying OpenDirectory Authentication
> (6) mschap: OD username_string = CKirschner, OD shortUserName=CKirschner (length = 10) 
> (6) mschap:   Stepbuf server challenge : 
> ffffffc0ffffff92ffffff96234b56ffffffd8ffffffbc6b67ffffffa7ffffffdbffffff88ffffffbe4777
> (6) mschap:   Stepbuf peer challenge   : 
> 1709083c13ffffffba6affffffe366ffffff86ffffffc9ffffff8d36ffffffdafffffff8fffffff0
> (6) mschap:   Stepbuf p24              : 
> ffffffe5ffffffde0f14100cffffffd37847fffffff1727f031e1e09fffffff3395723ffffff90ffffffb873ffffffca
> (6) mschap: dsDoDirNodeAuth returns stepbuff: S=FA1D3E965B2187EA23BECF6655F1289024D6998B???? (len=40) 
> (6) eap_mschapv2:     [mschap] = ok
> (6) eap_mschapv2:   } # authenticate = ok
> (6) eap_mschapv2: MSCHAP Success
> 
> 
> (14) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (14) mschap: No NT-Password configured. Trying OpenDirectory Authentication
> (14) mschap: OD username_string = CKirschner, OD shortUserName=CKirschnerYn?? (length = 14) 

  Yeah, that seems wrong.  The odd thing is that the shortUserName field has it's length taken directly from the OpenDirectory API.  i.e. it's not from FreeRADIUS.

> Example Crashreports, all crash reports Crash at getUserNodeRef in rlm_mschap.dylib 
> ///
> Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
> 0   rlm_mschap.dylib              	0x00000001095d0687 getUserNodeRef + 1463

  Line numbers would help rather a lot.

  Without line numbers, all we know is that it crashes somewhere in the function.  With line numbers, we know where it crashed.  And that knowledge lets us fix the problem.

  Alan DeKok.

More information about the Freeradius-Users mailing list