freeradius 3.0.15 memory corruption

petr.linke at seznam.cz petr.linke at seznam.cz
Thu Sep 7 12:37:48 CEST 2017


Hi,
I tryed eapol_test, and the eapol_test succeed for username with length more
than 5 characters.

Here is command:  
eapol_test -c ./eapol_test.conf -s SharedSecret -a 10.255.246.120
...
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS

and here is the debug from freeradius:
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL
(9) ntdomain: No such realm "NULL"
(9)       [ntdomain] = noop
(9)       update control {
(9)         &Proxy-To-Realm := LOCAL
(9)       } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 65
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)       [eap] = updated
(9)       [logintime] = noop
(9)       [pap] = noop
(9)     } # authorize = updated
(9)   Found Auth-Type = eap
(9)   # Executing group from file /etc/freeradius/sites-enabled/inner
(9)     authenticate {
(9) eap: Expiring EAP session with state 0x5c5a59c65c534372
(9) eap: Finished EAP session with state 0x5c5a59c65c534372
(9) eap: Previous EAP request found for state 0x5c5a59c65c534372, released 
from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/
inner
(9) eap_mschapv2:   authenticate {
(9) mschap: Creating challenge hash with username: abcdef
...
(11) Sent Access-Accept Id 11 from 10.255.246.120:1812 to 10.255.246.120:
55228 length 0
(11)   MS-MPPE-Recv-Key = 0xda125ae5c2135b237a9fb5015aae8113737af18255fc
163912a87fa3b4a73c54
(11)   MS-MPPE-Send-Key = 0x2b1b016695ef06e4bbbdd71d826e97b77ed6db4c6c59185e
6f0a3c28f3f6ef6a
(11)   EAP-Message = 0x030b0004
(11)   Message-Authenticator = 0x00000000000000000000000000000000
(11)   User-Name = "abcdef"
(11)   EAP-Key-Name := 0x197a80a2347b0f01d3c32d4bf8551f6467b2abe6cc479d548d
028c92603a9e7a902ae9a06bbd30ec205596a0eeb2ac10d210db303d9093e9aa7ffcd84dfa
889ccf
(11) Finished request


Sections authz and authn from inner-tunnel:
-------------------------------------------------------
authorize {
        filter_username
        filter_inner_identity
        mschap
        suffix
        ntdomain
        update control {
                &Proxy-To-Realm := LOCAL
        }
        eap {
                ok = return
        }
        logintime
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        mschap

        eap
}

Petr

---------- original mail ----------
From: Alan Buxey <alan.buxey at gmail.com>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Date: 7. 9. 2017 11:14:58
Subject: Re: freeradius 3.0.15 memory corruption

"radtest doesnt do EAP. your real packets are using EAP and therefore
go through a different path - into inner-tunnel etc. use eg
wpa_supplicant 'eapol_test'
tool to actually run tests similar to a client. whats your config
like in the authn/authz sections of inner-tunnel? what do you have
enabled in the mschap module?
(PS should be using winbind method with 3.0.15 rather than ntlm_auth :) )

alan

On 7 September 2017 at 09:48, <petr.linke at seznam.cz> wrote:
> Hello,
> I try to set up freeradius 3.0.15 with MS AD authentication via ntlm_auth
> from samba. I use default settings, follow freeradius-active-directory-
> integration-howto. All work correctly for username length up to 5
> characters, but when I use username, where the length is more than 5
> characters, freeradius terminated due memory corruption.
> (freeradius v.3.0.15, running on debian Wheezy64).
>
>
> debug for username length more than 5 characters:
>
> ...
> (10) ntdomain: Checking for prefix before "\"
> (10) ntdomain: No '\' in User-Name = "abcdef", looking up realm NULL
> (10) ntdomain: No such realm "NULL"
> (10) [ntdomain] = noop
> (10) update control {
> (10) &Proxy-To-Realm := LOCAL
> (10) } # update control = noop
> (10) eap: Peer sent EAP Response (code 2) ID 11 length 6
> (10) eap: No EAP Start, assuming it's an on-going EAP conversation
> (10) [eap] = updated
> (10) [logintime] = noop
> (10) [pap] = noop
> (10) } # authorize = updated
> (10) Found Auth-Type = eap
> (10) # Executing group from file /etc/freeradius/sites-enabled/inner
> (10) authenticate {
> (10) eap: Expiring EAP session with state 0x00b1f6cf01baecde
> (10) eap: Finished EAP session with state 0x00b1f6cf01baecde
> (10) eap: Previous EAP request found for state 0x00b1f6cf01baecde, 
released
> from the list
> (10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (10) eap: Calling submodule eap_mschapv2 to process data
> (10) eap: Sending EAP Success (code 3) ID 11 length 4
> (10) eap: Freeing handler
> (10) [eap] = ok
> (10) } # authenticate = ok
> (10) # Executing section post-auth from file /etc/freeradius/sites-
> enabled/inner
> (10) post-auth {
> (10) if (1) {
> (10) if (1) -> TRUE
> (10) if (1) {
> (10) update reply {
> (10) User-Name !* ANY/lib/x86_64-linux-gnu/libc.so.6(+0x75bb6)[0x7
> efef0171bb6]
> *** glibc detected *** freeradius: free(): invalid next size (fast): 0x
> 0000000000b61230 ***
> ======= Backtrace: =========
> /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7efef017695c]
> /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x7089)[0x7efef159d089]
> /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0x113)[0x7efef15998b
3]
> /usr/lib/freeradius/libfreeradius-radius.so(fr_pair_delete_by_num+0xa6)[0x
7
> efef2023b56]
> /usr/lib/freeradius/libfreeradius-server.so(map_to_request+0xacd)[0x7efef
> 2263c9d]
> freeradius[0x4278ad]
> freeradius[0x4272aa]
> freeradius[0x42752d]
> freeradius[0x4272aa]
> freeradius[0x42752d]
> freeradius(modcall+0x43)[0x4286a3]
> freeradius(indexed_modcall+0xa5)[0x423205]
> freeradius(rad_postauth+0x80)[0x4118a0]
> freeradius(rad_virtual_server+0x3d0)[0x4128f0]
> /usr/lib/freeradius/rlm_eap_peap.so(eappeap_process+0x772)[0x7efee953c872]
> /usr/lib/freeradius/rlm_eap_peap.so(+0x1de2)[0x7efee953ade2]
> /usr/lib/freeradius/rlm_eap.so(+0x3bbb)[0x7efeeab60bbb]
> /usr/lib/freeradius/rlm_eap.so(eap_method_select+0xc8)[0x7efeeab60e58]
> /usr/lib/freeradius/rlm_eap.so(+0x2e15)[0x7efeeab5fe15]
> freeradius[0x4283b2]
> freeradius[0x4272aa]
> freeradius[0x42752d]
> freeradius(modcall+0x43)[0x4286a3]
> freeradius(indexed_modcall+0xa5)[0x423205]
> freeradius(rad_authenticate+0x73d)[0x4122bd]
> freeradius[0x4368ba]
> freeradius[0x4322ad]
> freeradius(request_receive+0x337)[0x433f97]
> freeradius[0x41d5b9]
> freeradius[0x4316ad]
> /usr/lib/freeradius/libfreeradius-radius.so(fr_event_loop+0x2d9)[0x7efef
2036
> c59]
> freeradius(main+0x6af)[0x410dbf]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7efef011aead]
> freeradius[0x411105]
> ======= Memory map: ========
> 00400000-00463000 r-xp 00000000 01:01 77414 /
> usr/sbin/freeradius
> 00662000-00665000 r--p 00062000 01:01 77414 /
> usr/sbin/freeradius
> 00665000-00669000 rw-p 00065000 01:01 77414 /
> usr/sbin/freeradius
> 00669000-0066a000 rw-p 00000000 00:00 0
> 00800000-00b9b000 rw-p 00000000 00:00 0
> [heap]
> ...
>
>
> and now the same situation, username length up to 5 characters:
>
> (10) ntdomain: Checking for prefix before "\"
> (10) ntdomain: No '\' in User-Name = "test2", looking up realm NULL
> (10) ntdomain: No such realm "NULL"
> (10) [ntdomain] = noop
> (10) update control {
> (10) &Proxy-To-Realm := LOCAL
> (10) } # update control = noop
> (10) eap: Peer sent EAP Response (code 2) ID 10 length 64
> (10) eap: No EAP Start, assuming it's an on-going EAP conversation
> (10) [eap] = updated
> (10) [logintime] = noop
> (10) [pap] = noop
> (10) } # authorize = updated
> (10) Found Auth-Type = eap
> (10) # Executing group from file /etc/freeradius/sites-enabled/inner
> (10) authenticate {
> (10) eap: Expiring EAP session with state 0x3dd92fdb3dd3359e
> (10) eap: Finished EAP session with state 0x3dd92fdb3dd3359e
> (10) eap: Previous EAP request found for state 0x3dd92fdb3dd3359e, 
released
> from the list
> (10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (10) eap: Calling submodule eap_mschapv2 to process data
> (10) eap_mschapv2: # Executing group from file /etc/freeradius/sites-
> enabled/inner
> (10) eap_mschapv2: authenticate {
> (10) mschap: Creating challenge hash with username: test2
> (10) mschap: Client is using MS-CHAPv2
> (10) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key --
username
> =%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TEST.LOCAL} --
> challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
> (10) mschap: EXPAND --username=%{mschap:User-Name:-None}
> (10) mschap: --> --username=test2
> ...
> (12) policy remove_reply_message_if_eap {
> (12) if (&reply:EAP-Message && &reply:Reply-Message) {
> (12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (12) else {
> (12) [noop] = noop
> (12) } # else = noop
> (12) } # policy remove_reply_message_if_eap = noop
> (12) } # post-auth = ok
> (12) Sent Access-Accept Id 252 from 10.255.246.120:1812 to 10.255.246.253:
> 1812 length 0
> (12) MS-MPPE-Recv-Key = 0x1f4851b2d1ec7efab075df3b8442ee2f92405e46935f2739
> e329efbe06bc0e1e
> (12) MS-MPPE-Send-Key = 0xe75f33f2f6e0d814306d365d1c2d55da8296b7df034ad29b
> 762d516c0cc10f7f
> (12) EAP-Message = 0x030c0004
> (12) Message-Authenticator = 0x00000000000000000000000000000000
> (12) User-Name = "test2"
> (12) EAP-Key-Name := 0x1959b11211ec00b494af0aff7ea172e56e202f0fa593dd5f9b
> 40334b1906ab90534867b6668b5466cce813501306b028a585698afddf1dafb6937c56a41b
> 6241ff
> (12) Finished request
>
>
> But when I try radtest with username length more than 5 characters, no
> problem:
> --------------------------------------------------------------------------
--
> -------------------------
> radius-test:~# radtest -t mschap abcdef 12345#W 10.255.246.120 1
> SharedSecret
> Sent Access-Request Id 238 from 0.0.0.0:52211 to 10.255.246.120:1812 
length
> 132
> User-Name = "abcdef"
> MS-CHAP-Password = "12345#W"
> NAS-IP-Address = 10.255.246.120
> NAS-Port = 1
> Message-Authenticator = 0x00
> Cleartext-Password = "12345#W"
> MS-CHAP-Challenge = 0x838e90923dacd16e
> MS-CHAP-Response = 0x
> 0001000000000000000000000000000000000000000000000000ce64b63fc3d55e1391b5f4
ac
> 516373cd10bd09574a21bb8c
> Received Access-Accept Id 238 from 10.255.246.120:1812 to 0.0.0.0:0 length
> 37
>
> Than you for any help, Petr Linke
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
html"


More information about the Freeradius-Users mailing list