|
COMMAND tac_plus mutiple vulnerabilities leads to local root exploit SYSTEMS AFFECTED version F4.0.4.alpha PROBLEM Kevin Nassery [http://nassery.org] : Any file defined with and accounting directive, in a tac_plus config file, is create with file permissions set at 666. Allowing any system account to modify its contents. Jarno Huuskonen added : tac_plus sets umask to 000 (tac_plus.c:L400) so it creates the pid file with mode 666 as well (so don\'t blindly kill `cat /etc/tac_plus.pid`). If you write the logs/accounting files in /var/tmp or /tmp (or in any other dir where users can create symlinks) then tac_plus will follow symlinks when creating the files (fopen / open w/out O_EXCL). So write logs into a safe directory where users can\'t play tricks with symlinks. Also if you use TAC_PLUS_GROUPID and TAC_PLUS_USERID then tac_plus will change uid/gid but never drops any supplemental groups. On the code itself ellipse [http://cipherpunks.com] says : The problem is in the creation of files in the do_acct.c source file. First, at line 71: if (!acctfd) { acctfd = open(session.acctfile, O_CREAT | O_WRONLY | O_APPEND, 0666); if (acctfd < 0) { report(LOG_ERR, \"Can\'t open acct file %s -- %s\", session.acctfile, sys_errlist[errno]); return(1); } } and later at line 162: wtmpfd = open(wtmpfile, O_CREAT | O_WRONLY | O_APPEND | O_SYNC, 0666); if (wtmpfd < 0) { report(LOG_ERR, \"Can\'t open wtmp file %s -- %s\", wtmpfile, sys_errlist[errno]); return(1); } Additionally, it appears a similar problem presents itself in report.c on line 160: if (debug) { int logfd; logfd = open(logfile, O_CREAT | O_WRONLY | O_APPEND, 0666); if (logfd >= 0) { char buf[512]; time_t t = time(NULL); char *ct = ctime(&t); SOLUTION There\'s a modified tac_plus available from: http://www.gazi.edu.tr/tacacs/index.php this version seems to have fixed the original cisco bugs and adds more useful functionality like tcp_wrappers, ldap, mysql, pam etc.