Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc

From: ellipse (ellipticat_private)
Date: Thu Jan 31 2002 - 09:53:57 PST

Next message: Casper Dik: "Re: remote memory reading through tcp/icmp"

Previous message: Chris Adams: "Re: DoS bug on Tru64"
In reply to: Kevin A. Nassery: "tac_plus version F4.0.4.alpha on at least Solaris 8 sparc"
Next in thread: Jarno Huuskonen: "Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Abstract:
> tac_plus version F4.0.4.alpha, an example Tacacs+ daemon released
> (but not supported) by Cisco isn't careful with it's permissions when
> creating accounting files.
> 
> Vulneribility:
> Any file defined with and accounting directive, in a tac_plus
> config file, is create with file permissions set at 666.
> 
> Allowing any system account to modify its contents.
> 
> When appending to the file, if it's not there initially, it is created.
> When it is created it is done so with file permissions set at 666.
> A simple work arround is to create a file, at the path set in the
> config file, and manually set the permission to 600.  The tac_plus
> daemon will continue to append to the file, without setting the
> permissions back to 666.  I just wanted to make sure this was out there
> for people who are rotating logs, and just letting the daemon create
> new files.

This affects essentially any platform this program is run on; it is not 
specific to Solaris on a Sparc.

The problem is in the creation of files in the do_acct.c source file.  
First, at line 71:

if (!acctfd) {
   acctfd = open(session.acctfile, O_CREAT | O_WRONLY | O_APPEND, 0666);
   if (acctfd < 0) {
      report(LOG_ERR, "Can't open acct file %s -- %s",
         session.acctfile, sys_errlist[errno]);  
      return(1);
   }
}

and later at line 162:

wtmpfd = open(wtmpfile, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, 0666);
if (wtmpfd < 0) {
   report(LOG_ERR, "Can't open wtmp file %s -- %s",
     wtmpfile, sys_errlist[errno]);
   return(1);
}

Additionally, it appears a similar problem presents itself in report.c on 
line 160:

if (debug) {
   int logfd;

   logfd = open(logfile, O_CREAT | O_WRONLY | O_APPEND, 0666);
   if (logfd >= 0) {
      char buf[512];
      time_t t = time(NULL);
      char *ct = ctime(&t);
   ---snip---

This was just a quick glance, but I'm sure it's exploitable in some way.

Cheers,
ellipse

---
That's the whole trouble.  You can't ever find a place that's nice and
peaceful, because there isn't any.  You may think there is, but once you
get there, when you're not looking, somebody'll sneak up and write "Fuck
you" right under your nose.  Try it sometime.  I think, even, if I ever
die, and they stick me in a cemetery, and I have a tombstone and all,
it'll say "Holden Caulfield" on it, and then what year I was born and what
year I died, and then right under that it'll say "Fuck you."  I'm
positive, in fact.
        -- The Catcher in the Rye

Next message: Casper Dik: "Re: remote memory reading through tcp/icmp"
Previous message: Chris Adams: "Re: DoS bug on Tru64"
In reply to: Kevin A. Nassery: "tac_plus version F4.0.4.alpha on at least Solaris 8 sparc"
Next in thread: Jarno Huuskonen: "Re: tac_plus version F4.0.4.alpha on at least Solaris 8 sparc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 11:42:31 PST