Bugtraq mailing list archives

Re: An Analysis of the TACACS+ Protocol and its Implementations

From: ecentric () BELLSOUTH NET (Eccentric)
Date: Thu, 1 Jun 2000 20:58:30 -0400


A simple but potentially devastating situation I have found while using the
Cisco Secure ACS software and Cisco's TACACS+ (or RADIUS) implementation is
in the AAA log files. The log files are stored on the ACS server in plain
text. The log files contain session information including failed attempts.
The TACACS ACS authentication server will record plain text usernames and
encrypted passwords in the log files. The problem is during connection
latency, occasionally, the username does not get recorded and in its place
is the password in plain text. The Dial out client is also essentially a
telnet session and we know that it is sniffer vulnerable. There is a latency
authentication error problem I contacted Cisco about concerning the Dial out
client for NT a year ago. The only way to protect the stored log files is
with proper file permissions. If read permissions are available then you are
compromised. If you have a promiscuous sniffing  user then the telnet
sessions to the router is a goner as well. Your intruder only has to wait
for an ACS TACACS+ (or RADIUS) administrator to get enabled or just the
average user account to get a free ride.

This is an inside threat unless your intruder is sniffing the gateway.

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Juan
M. Courcoul
Sent: Thursday, June 01, 2000 10:41 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: An Analysis of the TACACS+ Protocol and its Implementations

On Tue, 30 May 2000, Solar Designer wrote:

OW-001-tac_plus, revision 1
May 30, 2000

 An Analysis of the TACACS+ Protocol and its Implementations
 -----------------------------------------------------------

...

First off, many thanks to Solar Designer for this insightful TACACS+
analysis.

For those of us who have opted to use RADIUS instead of TACACS, is there
an equivalent vulnerability analysis available somewhere ?

Thanks,

J. Courcoul                               courcoul () campus qro itesm mx
Servicios Computacionales                 Directo    (4) 238-3181
ITESM Campus Queretaro                    Secretaria (4) 238-3175
Queretaro, Qro. Mexico                    Sky (800) 723-4500 PIN 5597110

Current thread:

Re: An Analysis of the TACACS+ Protocol and its Implementations Juan M. Courcoul (Jun 01)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)
  - HP Security vulnerability in the man command Jason Axley (Jun 02)
    - MDMA Advisory #5: Reading of CGI Scripts under Savant Webserver Drew (Jun 05)
    - Re: HP Security vulnerability in the man command Theo de Raadt (Jun 05)
    - Re: HP Security vulnerability in the man command Philipp Buehler (Jun 06)
    - Password Generation during RH Linux 6.x Installation William R. Lorenz (Jun 07)
    - Re: Password Generation during RH Linux 6.x Installation Fabian Kroenner (Jun 08)
    - Re: HP Security vulnerability in the man command V. T. Mueller (Jun 07)
  - Re: An Analysis of the TACACS+ Protocol and its Implementations Dylan (Jun 02)
  - Microsoft Security Bulletin (MS00-037) Microsoft Product Security (Jun 02)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Fyodor (Jun 01)