Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5053.htm

tac_plus mutiple vulnerabilities leads to local root exploit



1st Feb 2002 [SBWID-5053]
COMMAND

	tac_plus mutiple vulnerabilities leads to local root exploit

SYSTEMS AFFECTED

	version F4.0.4.alpha

PROBLEM

	Kevin Nassery [http://nassery.org] :
	

	Any file defined with and accounting directive,  in  a  tac_plus  config
	file, is create with file permissions set at 666.  Allowing  any  system
	account to modify its contents.
	

	Jarno Huuskonen added :
	

	tac_plus sets umask to 000 (tac_plus.c:L400) so it creates the pid  file
	with mode 666 as well (so don\'t blindly kill `cat  /etc/tac_plus.pid`).
	If you write the logs/accounting files in /var/tmp or /tmp  (or  in  any
	other dir where users can create symlinks)  then  tac_plus  will  follow
	symlinks when creating the files (fopen / open w/out O_EXCL).  So  write
	logs  into  a  safe  directory  where  users  can\'t  play  tricks  with
	symlinks. Also if you  use  TAC_PLUS_GROUPID  and  TAC_PLUS_USERID  then
	tac_plus will change uid/gid but never drops any supplemental groups.
	

	On the code itself ellipse [http://cipherpunks.com] says :
	

	The problem is in the creation of files in the  do_acct.c  source  file.
	First, at line 71:
	

	if (!acctfd) {

	   acctfd = open(session.acctfile, O_CREAT | O_WRONLY | O_APPEND, 0666);

	   if (acctfd < 0) {

	      report(LOG_ERR, \"Can\'t open acct file %s -- %s\",

	         session.acctfile, sys_errlist[errno]);  

	      return(1);

	   }

	}

	

	and later at line 162:
	

	wtmpfd = open(wtmpfile, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, 0666);

	if (wtmpfd < 0) {

	   report(LOG_ERR, \"Can\'t open wtmp file %s -- %s\",

	     wtmpfile, sys_errlist[errno]);

	   return(1);

	}

	

	Additionally, it appears a similar problem presents itself  in  report.c
	on line 160:
	

	if (debug) {

	   int logfd;

	

	   logfd = open(logfile, O_CREAT | O_WRONLY | O_APPEND, 0666);

	   if (logfd >= 0) {

	      char buf[512];

	      time_t t = time(NULL);

	      char *ct = ctime(&t);

	

	

SOLUTION

	There\'s a modified tac_plus available from:
	

	http://www.gazi.edu.tr/tacacs/index.php 

	

	this version seems to have fixed the original cisco bugs and  adds  more
	useful functionality like tcp_wrappers, ldap, mysql, pam etc.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH