[Issues] [mod_auth_xradius 0000165]: Replay Attack possible xradius with apr_memcache

Mantis Bug Tracker issues at outoforder.cc
Thu Sep 29 06:27:06 EDT 2011

The following issue has been SUBMITTED. 
Reported By:                pcfreak
Assigned To:                
Project:                    mod_auth_xradius
Issue ID:                   165
Category:                   Security Issue
Reproducibility:            always
Severity:                   major
Priority:                   high
Status:                     new
Apache Version:             apache2 Version: 2.2.16-6+squeeze3 
Date Submitted:             2011-09-29 06:27 EDT
Last Modified:              2011-09-29 06:27 EDT
Summary:                    Replay Attack possible xradius with apr_memcache
On Debian Squeeze I successfully compiled mod_auth_xradius and apr_memcache. I
authenticate against a radius server backend that verifies SafeWord OTP Tokens.
Everything looks good so far, but when I sniff the "Authorization: Basic" string
in http traffic and base64decode it I can use the credentials on different
sessions and on different IPs.

A so called replay attack is possible during the "AuthXRadiusCacheTimeout" even
from a different IP.

I don't know if this is related to xradius or apr_memcache.

Steps to Reproduce: 
Use tcpflow to sniff http-session and grab the 

Authorization: Basic d0Y5NjMzMzc6MTExMjkzMjA5NzAw

string. Do a 
  "echo d0Y5NjMzMzc6MTExMjg3NTAyOTIz | base64 -d - && echo"

and then you have


During the AuthXRadiusCacheTimeout you can use the credentials

 U: wF963337
 P: 111287502923

on any machine to authenticate.

Additional Information: 
Relevant parts of apache site config

<IfModule auth_xradius_module>
  ##The Cache for mod_auth_xradius must be configured globally.
  ##If you do not want Authentication Caching, set:
  AuthXRadiusCache memcache ""
  ## Time in Seconds that an entry will be cached.
  AuthXRadiusCacheTimeout 300

<IfModule auth_xradius_module>
 <Location "/">
    ## Type of authentication to use - radius needs basic
    AuthType Basic
    ## We have to assign xradius as provider here
    AuthBasicProvider xradius
    ## Client prompt for authentication
    AuthName "Credentials needed"
    ## Address and the Shared Secret of the RADIUS Server(s) to contact.
    AuthXRadiusAddServer "" "yoursecret"
    #AuthXRadiusAddServer "" "yoursecret"
    ## Time in Seconds to wait for replies from the RADIUS Servers
    AuthXRadiusTimeout 7
    ## Number of times to resend a request to a server if no reply is received.
    AuthXRadiusRetries 2
    ## This tells apache that we want a valid user and password.
    require valid-user

Version of memcached
Package: memcached Version: 1.4.5-1


Issue History 
Date Modified    Username       Field                    Change               
2011-09-29 06:27 pcfreak        New Issue                                    

More information about the Issues mailing list