[UNIX] Tac_plus File Permissions Security Vulnerability

From: support@securiteam.com
Date: 02/05/02


From: support@securiteam.com
To: list@securiteam.com
Date: Tue,  5 Feb 2002 18:27:08 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Tac_plus File Permissions Security Vulnerability
------------------------------------------------------------------------

SUMMARY

Tac_plus an example Tacacs+ daemon released (but not supported) by Cisco
isn't careful with its permissions when creating accounting files. This
would allow a local attacker to damage to the local operating system by
overwriting files, killing arbitrary processes, etc.

DETAILS

Vulnerable systems:
Tac_plus version F4.0.4.alpha (Cisco's original release)

Immune systems:
Tac_plus version F4.0.9.alpha

Any file defined with and accounting directive, in Tac_plus's
configuration file, is created with file permissions set at 666. This
allows any system account to modify the file's contents.

When appending to the file, if it is not there initially, it is created.
When it is created, it is done so with file permissions set at 666. If the
file already exists, the Tac_plus daemon will continue to append to the
file, without setting the permissions back to 666.

This means that Tac_plus sets umask to 000 (tac_plus.c:L400) so it creates
the PID file with mode 666 as well (meaning that you should not nor any
other script blindly do a: kill `cat /etc/tac_plus.pid`).

If you write the logs/accounting files in /var/tmp or /tmp (or in any
other directory where users can create symlinks in) then Tac_plus will
follow symlinks when creating the files (fopen / open w/out O_EXCL).

In addition, if you use TAC_PLUS_GROUPID and TAC_PLUS_USERID then Tac_plus
will change uid/gid but never drops any supplemental groups.

Solution:
An immune version can be downloaded from:
 <http://www.gazi.edu.tr/tacacs/index.php>
http://www.gazi.edu.tr/tacacs/index.php

Workaround:
A simple workaround is to create a file, at the path set in the
configuration file, and manually set the permission to 600.

Vulnerable code:
The problem is in the creation of files in the do_acct.c source file.
First, at line 71:

if (!acctfd) {
   acctfd = open(session.acctfile, O_CREAT | O_WRONLY | O_APPEND, 0666);
   if (acctfd < 0) {
      report(LOG_ERR, "Can't open acct file %s -- %s",
         session.acctfile, sys_errlist[errno]);
      return(1);
   }
}

And later at line 162:

wtmpfd = open(wtmpfile, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, 0666);
if (wtmpfd < 0) {
   report(LOG_ERR, "Can't open wtmp file %s -- %s",
     wtmpfile, sys_errlist[errno]);
   return(1);
}

Additionally, it appears a similar problem presents itself in report.c on
line 160:

if (debug) {
   int logfd;

   logfd = open(logfile, O_CREAT | O_WRONLY | O_APPEND, 0666);
   if (logfd >= 0) {
      char buf[512];
      time_t t = time(NULL);
      char *ct = ctime(&t);
   ---snip---

ADDITIONAL INFORMATION

The information has been provided by <mailto:kevin@nassery.org> Kevin A.
Nassery, <mailto:elliptic@cipherpunks.com> ellipse.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.