SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Generic)  >  Tac_plus Vendors:  Cisco
Cisco Tac_plus TACACS+ Developer Kit Uses Unsafe File Permissions That May Allow Local Users to Modify the Logs, Overwrite Arbitrary Files, and Potentially Execute Arbitrary Code on the System
Date:  Feb 1 2002
Impact:  Execution of arbitrary code via local system, Modification of system information
Exploit Included:  Yes  
Version(s): F4.0.4.alpha
Description:  A vulnerability was reported in Cisco's unsupported tac_plus TACACS+ developers kit. A local user can modify the log files and may be able to cause arbitrary files to be overwritten on the system.

It is reported that tac_plus uses unsafe file permissions (666, or global read and write permissions) when creating accounting files. A local user can modify the contents of the log file.

In a separate message, ellipse noted the following offending sections of the do_acct.c source code file:

At line 71:

if (!acctfd) {
acctfd = open(session.acctfile, O_CREAT | O_WRONLY | O_APPEND, 0666);
if (acctfd < 0) {
report(LOG_ERR, "Can't open acct file %s -- %s",
session.acctfile, sys_errlist[errno]);
return(1);
}
}

At line 162:

wtmpfd = open(wtmpfile, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, 0666);
if (wtmpfd < 0) {
report(LOG_ERR, "Can't open wtmp file %s -- %s",
wtmpfile, sys_errlist[errno]);
return(1);
}

ellipse also noted a similar problem int the report.c source code file on line 160:

if (debug) {
int logfd;

logfd = open(logfile, O_CREAT | O_WRONLY | O_APPEND, 0666);
if (logfd >= 0) {
char buf[512];
time_t t = time(NULL);
char *ct = ctime(&t);
---snip---

In a separate message, Jarno Huuskonen noted that tac_plus sets the umask to 000 (line 400 in the tac_plus.c source code file) so it also creates the pid file with mode 666, which can then be modified or deleted by any local user.

Jarno Huuskonen also noted that if the log files are written to any globally writable directories (such as /var/tmp or /tmp), then tac_plus may be vulnerable to symlink attacks, as it will follow symlinks when creating the files (a call to fopen() is made without the O_EXCL flag). A local user could create a symbolic link from the log file to another critical file on the system. Then, the tac_plus daemon would overwrite the linked file.

Jarno Huuskonene also reported that if the TAC_PLUS_GROUPID and TAC_PLUS_USERID settings are used, then tac_plus will change uid/gid but will never drop any supplemental groups. This could allow a local user to execute code with supplemental group privileges.

The affected software is available from Cisco without warranty and without support at:

ftp://ftp-eng.cisco.com/pub/tacacs/
Impact:  A local user could modify the contents of the log files. A local user could cause arbitrary files to be overwritten with the privileges of the tac_plus daemon. It may also be possible for a local user to cause the tac_plus daemon to execute arbitrary code with supplemental group privileges.
Solution:  No solution was available at the time of this entry. Note that the product is not a supported product.

The author of the report has provided a workaround: Create the log file and manually set the permission to 600. The tac_plus daemon will reportedly append to the file and will not reset the permissions back to the unsafe 666 setting.

Jarno Huuskonen recommends that users should write logs into a safe directory where local users cannot create symlinks.

It is reported that a modified tac_plus that apparently has fixed the original Cisco bugs and includes additional security functionality is available at:

http://www.gazi.edu.tr/tacacs/index.php
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  "Kevin A. Nassery" <kevin@nassery.org>
Message History:   None.

 Source Message Contents
Date:  Wed, 30 Jan 2002 17:42:03 -0600 (CST)
From:  "Kevin A. Nassery" <kevin@nassery.org>
Subject:  tac_plus version F4.0.4.alpha on at least Solaris 8 sparc

 

Software: tac_plus version F4.0.4.alpha, compiled
	on Solaris 8 sparc.

Abstract:
tac_plus version F4.0.4.alpha, an example Tacacs+ daemon released
(but not supported) by Cisco isn't careful with it's permissions when
creating accounting files.

Vulneribility:
Any file defined with and accounting directive, in a tac_plus
config file, is create with file permissions set at 666.

Allowing any system account to modify its contents.

When appending to the file, if it's not there initially, it is created.
When it is created it is done so with file permissions set at 666.
A simple work arround is to create a file, at the path set in the
config file, and manually set the permission to 600.  The tac_plus
daemon will continue to append to the file, without setting the
permissions back to 666.  I just wanted to make sure this was out there
for people who are rotating logs, and just letting the daemon create
new files.

Kevin Nassery
Network & Security Engineer
http://nassery.org


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC