TACACS+ Denial of Service Vulnerability
BID:1293
Info
TACACS+ Denial of Service Vulnerability
| Bugtraq ID: | 1293 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 30 2000 12:00AM |
| Updated: | May 30 2000 12:00AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list by Solar Designer <[email protected]> on May 30, 2000. |
| Vulnerable: |
Cisco tac_plus 4.0.3 alpha Cisco tac_plus 4.0.2 alpha |
| Not Vulnerable: | |
Discussion
TACACS+ Denial of Service Vulnerability
A small buffer overrun exists in the free, unsupported implementation of the tacacs+ server, distributed by Cisco. This vulnerability, while a buffer overrun, appears to not be exploitable due to its short nature. A related vulnerability exists, whereby an attacker can cause the tac_plus server to malloc a large amount of memory, which can potentially result in a denial of service to the machine as a whole.
While the analysis of the tacacs+ protocol posted to Bugtraq indicated that clients, including IOS, were vulnerable to the above problems, Cisco claims that IOS clients will reject the packets as invalid, and report an error, without any further problems. Attacking the client requires the ability to perform blind TCP sequencing, and as such is difficult to conduct.
The first vulnerability, a buffer overflow, is due to the nature in which the tac_plus server allocates memory for the incoming packet. It will read only up to the length of the header in a primary read, allocate the amount of memory indicated in the header, copy the header into the allocated memory, and then read and copy the remaining buffer in. The buffer overrun is caused by it failing to check for an integer overflow in the length field of the header when added to the header length. This can result in an 11 byte overflow.
The second vulnerability is due to a lack of sanity checking on the length field. An arbitrarily large number can be sent for the body length. The server or client will malloc whatever the length presented is, and as such may allocate an excessive amount of memory, resulting in the denial of service previously mentioned.
A small buffer overrun exists in the free, unsupported implementation of the tacacs+ server, distributed by Cisco. This vulnerability, while a buffer overrun, appears to not be exploitable due to its short nature. A related vulnerability exists, whereby an attacker can cause the tac_plus server to malloc a large amount of memory, which can potentially result in a denial of service to the machine as a whole.
While the analysis of the tacacs+ protocol posted to Bugtraq indicated that clients, including IOS, were vulnerable to the above problems, Cisco claims that IOS clients will reject the packets as invalid, and report an error, without any further problems. Attacking the client requires the ability to perform blind TCP sequencing, and as such is difficult to conduct.
The first vulnerability, a buffer overflow, is due to the nature in which the tac_plus server allocates memory for the incoming packet. It will read only up to the length of the header in a primary read, allocate the amount of memory indicated in the header, copy the header into the allocated memory, and then read and copy the remaining buffer in. The buffer overrun is caused by it failing to check for an integer overflow in the length field of the header when added to the header length. This can result in an 11 byte overflow.
The second vulnerability is due to a lack of sanity checking on the length field. An arbitrarily large number can be sent for the body length. The server or client will malloc whatever the length presented is, and as such may allocate an excessive amount of memory, resulting in the denial of service previously mentioned.
Exploit / POC
TACACS+ Denial of Service Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
TACACS+ Denial of Service Vulnerability
Solution:
From Damir Rajnovic <[email protected]>:
We updated our unsupported version of TACACS+ server so it is no longer vulnerable to oversized T+ packets. You can download the new version, F4.0.4 alpha, if you follow this URL: ftp://ftp-eng.cisco.com/pub/tacacs
A patch was supplied by Solar Designer in his paper analyzing tacacs+ vulnerabilities.
Cisco tac_plus 4.0.3 alpha
Solution:
From Damir Rajnovic <[email protected]>:
We updated our unsupported version of TACACS+ server so it is no longer vulnerable to oversized T+ packets. You can download the new version, F4.0.4 alpha, if you follow this URL: ftp://ftp-eng.cisco.com/pub/tacacs
A patch was supplied by Solar Designer in his paper analyzing tacacs+ vulnerabilities.
Cisco tac_plus 4.0.3 alpha
-
Openwall tac_plus.patch
http://www.securityfocus.com/data/vulnerabilities/patches/tac_plus.pat ch