Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix5053.htm

tac_plus mutiple vulnerabilities leads to local root exploit
1st Feb 2002 [SBWID-5053]

	tac_plus mutiple vulnerabilities leads to local root exploit


	version F4.0.4.alpha


	Kevin Nassery [] :

	Any file defined with and accounting directive,  in  a  tac_plus  config
	file, is create with file permissions set at 666.  Allowing  any  system
	account to modify its contents.

	Jarno Huuskonen added :

	tac_plus sets umask to 000 (tac_plus.c:L400) so it creates the pid  file
	with mode 666 as well (so don\'t blindly kill `cat  /etc/`).
	If you write the logs/accounting files in /var/tmp or /tmp  (or  in  any
	other dir where users can create symlinks)  then  tac_plus  will  follow
	symlinks when creating the files (fopen / open w/out O_EXCL).  So  write
	logs  into  a  safe  directory  where  users  can\'t  play  tricks  with
	symlinks. Also if you  use  TAC_PLUS_GROUPID  and  TAC_PLUS_USERID  then
	tac_plus will change uid/gid but never drops any supplemental groups.

	On the code itself ellipse [] says :

	The problem is in the creation of files in the  do_acct.c  source  file.
	First, at line 71:

	if (!acctfd) {

	   acctfd = open(session.acctfile, O_CREAT | O_WRONLY | O_APPEND, 0666);

	   if (acctfd < 0) {

	      report(LOG_ERR, \"Can\'t open acct file %s -- %s\",

	         session.acctfile, sys_errlist[errno]);  





	and later at line 162:

	wtmpfd = open(wtmpfile, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, 0666);

	if (wtmpfd < 0) {

	   report(LOG_ERR, \"Can\'t open wtmp file %s -- %s\",

	     wtmpfile, sys_errlist[errno]);




	Additionally, it appears a similar problem presents itself  in  report.c
	on line 160:

	if (debug) {

	   int logfd;


	   logfd = open(logfile, O_CREAT | O_WRONLY | O_APPEND, 0666);

	   if (logfd >= 0) {

	      char buf[512];

	      time_t t = time(NULL);

	      char *ct = ctime(&t);




	There\'s a modified tac_plus available from: 


	this version seems to have fixed the original cisco bugs and  adds  more
	useful functionality like tcp_wrappers, ldap, mysql, pam etc.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH