Problem when trying to store NAS-Port-ID into radpostauth table
Hi, I added a column to the radpostauth table to store the NAS-Port-ID, but I am noticing a strange behaviour for a specific type of NAS. Using tcpdump, I can see that the NAS-Port-Id attributes arrives in the following format: NAS-Port-Id Attribute (87), length: 38, Value: slot=0;subslot=2;port=1;vlanid=1110; But when I check what is being stored in the radpostauth table and in the radacct table, I get something like this: slot=3D3D0=3D3Bsubslot=3D3D2=3D3Bport=3D3D0=3D3Bvlanid=3D3D1001=3D3B I am using the following expression in my queries.conf to get the value of this attribute from the request: NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', '') It seems like unlang is encoding the value somehow. Do you guys have any suggestion?
On 16 Sep 2021, at 11:25, Antônio Modesto <modesto@hubsoft.com.br> wrote:
Hi,
Olá!
I added a column to the radpostauth table to store the NAS-Port-ID, but I am noticing a strange behaviour for a specific type of NAS. Using tcpdump, I can see that the NAS-Port-Id attributes arrives in the following format:
NAS-Port-Id Attribute (87), length: 38, Value: slot=0;subslot=2;port=1;vlanid=1110;
But when I check what is being stored in the radpostauth table and in the radacct table, I get something like this:
slot=3D3D0=3D3Bsubslot=3D3D2=3D3Bport=3D3D0=3D3Bvlanid=3D3D1001=3D3B
I am using the following expression in my queries.conf to get the value of this attribute from the request:
NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', '')
It seems like unlang is encoding the value somehow. Do you guys have any suggestion?
Exactly as you can see the comments along the option “safe_characters” along the raddb/mods-config/sql/main/$driver/queries.conf. basically, anything beyond that list will be _encoded_. Therefore, you could try to use the %{unescape:…} e.g: NULLIF('%{unescape:%{%{NAS-Port-ID}:-%{NAS-Port}}}', '') -- Jorge Pereira jpereira@freeradius.org
On 16/09/2021 12:23, Jorge Pereira wrote:
On 16 Sep 2021, at 11:25, Antônio Modesto <modesto@hubsoft.com.br> wrote:
Hi,
Olá!
I added a column to the radpostauth table to store the NAS-Port-ID, but I am noticing a strange behaviour for a specific type of NAS. Using tcpdump, I can see that the NAS-Port-Id attributes arrives in the following format:
NAS-Port-Id Attribute (87), length: 38, Value: slot=0;subslot=2;port=1;vlanid=1110;
But when I check what is being stored in the radpostauth table and in the radacct table, I get something like this:
slot=3D3D0=3D3Bsubslot=3D3D2=3D3Bport=3D3D0=3D3Bvlanid=3D3D1001=3D3B
I am using the following expression in my queries.conf to get the value of this attribute from the request:
NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', '')
It seems like unlang is encoding the value somehow. Do you guys have any suggestion?
Exactly as you can see the comments along the option “safe_characters” along the raddb/mods-config/sql/main/$driver/queries.conf. basically, anything beyond that list will be _encoded_.
Therefore, you could try to use the %{unescape:…}
e.g:
NULLIF('%{unescape:%{%{NAS-Port-ID}:-%{NAS-Port}}}', '')
Hello, Thanks for your suggestion, but unfortunatelly it didn't work. I noticed the escaping happens in the rlm_sql module, so passing the unescaped string to it has no effect. I think the only solution would be to modify safe_characters to include the characters I am having problem with. Any better idea?
-- Jorge Pereira jpereira@freeradius.org
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Att, *Antônio Modesto*
On 16/09/2021 12:23, Jorge Pereira wrote:
On 16 Sep 2021, at 11:25, Antônio Modesto <modesto@hubsoft.com.br> wrote:
Hi,
Olá!
I added a column to the radpostauth table to store the NAS-Port-ID, but I am noticing a strange behaviour for a specific type of NAS. Using tcpdump, I can see that the NAS-Port-Id attributes arrives in the following format:
NAS-Port-Id Attribute (87), length: 38, Value: slot=0;subslot=2;port=1;vlanid=1110;
But when I check what is being stored in the radpostauth table and in the radacct table, I get something like this:
slot=3D3D0=3D3Bsubslot=3D3D2=3D3Bport=3D3D0=3D3Bvlanid=3D3D1001=3D3B
I am using the following expression in my queries.conf to get the value of this attribute from the request:
NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', '')
It seems like unlang is encoding the value somehow. Do you guys have any suggestion?
Exactly as you can see the comments along the option “safe_characters” along the raddb/mods-config/sql/main/$driver/queries.conf. basically, anything beyond that list will be _encoded_.
Therefore, you could try to use the %{unescape:…}
e.g:
NULLIF('%{unescape:%{%{NAS-Port-ID}:-%{NAS-Port}}}', '')
Thanks for your help Jorge, The unescape didn't solve the problem. I had to add ";" and "=" to the safe_characters variable to solve it for now. Regards.
-- Jorge Pereira jpereira@freeradius.org
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Att, *Antônio Modesto*
On Sep 16, 2021, at 2:57 PM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
The unescape didn't solve the problem. I had to add ";" and "=" to the safe_characters variable to solve it for now.
People can now do SQL injection attacks, and break into your SQL server. Please don't do that. Alan DeKok.
On 16/09/2021 16:23, Alan DeKok wrote:
On Sep 16, 2021, at 2:57 PM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
The unescape didn't solve the problem. I had to add ";" and "=" to the safe_characters variable to solve it for now. People can now do SQL injection attacks, and break into your SQL server.
Please don't do that.
Alan DeKok. From our application I don't think that it is possible. Only if the attacker pretended to be a known NAS server. Do you have any other suggestion?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 16, 2021, at 4:32 PM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
From our application I don't think that it is possible. Only if the attacker pretended to be a known NAS server. Do you have any other suggestion?
If you change the list of allowed characters, it is changed for ALL of the attributes. Not just NAS-Port-Id. For example, someone could log in with a User-Name which exploits this issue. They don't even have to have an account, or even the correct password. Alan DeKok.
On 16/09/2021 17:40, Alan DeKok wrote:
On Sep 16, 2021, at 4:32 PM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
From our application I don't think that it is possible. Only if the attacker pretended to be a known NAS server. Do you have any other suggestion? If you change the list of allowed characters, it is changed for ALL of the attributes. Not just NAS-Port-Id. For example, someone could log in with a User-Name which exploits this issue. They don't even have to have an account, or even the correct password.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
That's really a problem. I did some tests and I don't think it is possible to do sql injection without allowing a single quote in safe_characters. Am I missing something? -- Att, *Antônio Modesto*
On Sep 17, 2021, at 9:14 AM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
That's really a problem. I did some tests and I don't think it is possible to do sql injection without allowing a single quote in safe_characters. Am I missing something?
Backslashes? Various other things? You'll have to investigate your particular database in detail to see what's possible. We've listed what we know is safe. Anything else is potentially dangerous. Alan DeKok.
On 17/09/2021 10:51, Alan DeKok wrote:
On Sep 17, 2021, at 9:14 AM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
That's really a problem. I did some tests and I don't think it is possible to do sql injection without allowing a single quote in safe_characters. Am I missing something? Backslashes? Various other things? You'll have to investigate your particular database in detail to see what's possible.
We've listed what we know is safe. Anything else is potentially dangerous.
Alan DeKok.
That's true. I will need to replace every ";" in the NAS-Port-Id attribute with another character, "/" for example. Do you know how can I do that without using the "%{sub:" function? (Not all my servers have the proper version to use that already)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Att, *Antônio Modesto*
On Sep 17, 2021, at 10:23 AM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
That's true. I will need to replace every ";" in the NAS-Port-Id attribute with another character, "/" for example. Do you know how can I do that without using the "%{sub:" function? (Not all my servers have the proper version to use that already)
There's no easy way to do it without "sub". Maybe regexes? Alan DeKok.
participants (3)
-
Alan DeKok -
Antônio Modesto -
Jorge Pereira