Bugtraq mailing list archives
Re: An Analysis of the TACACS+ Protocol and its Implementations
From: ecentric () BELLSOUTH NET (Eccentric)
Date: Thu, 1 Jun 2000 20:58:30 -0400
A simple but potentially devastating situation I have found while using the Cisco Secure ACS software and Cisco's TACACS+ (or RADIUS) implementation is in the AAA log files. The log files are stored on the ACS server in plain text. The log files contain session information including failed attempts. The TACACS ACS authentication server will record plain text usernames and encrypted passwords in the log files. The problem is during connection latency, occasionally, the username does not get recorded and in its place is the password in plain text. The Dial out client is also essentially a telnet session and we know that it is sniffer vulnerable. There is a latency authentication error problem I contacted Cisco about concerning the Dial out client for NT a year ago. The only way to protect the stored log files is with proper file permissions. If read permissions are available then you are compromised. If you have a promiscuous sniffing user then the telnet sessions to the router is a goner as well. Your intruder only has to wait for an ACS TACACS+ (or RADIUS) administrator to get enabled or just the average user account to get a free ride. This is an inside threat unless your intruder is sniffing the gateway. -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Juan M. Courcoul Sent: Thursday, June 01, 2000 10:41 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: An Analysis of the TACACS+ Protocol and its Implementations On Tue, 30 May 2000, Solar Designer wrote:
OW-001-tac_plus, revision 1 May 30, 2000 An Analysis of the TACACS+ Protocol and its Implementations -----------------------------------------------------------
... First off, many thanks to Solar Designer for this insightful TACACS+ analysis. For those of us who have opted to use RADIUS instead of TACACS, is there an equivalent vulnerability analysis available somewhere ? Thanks, J. Courcoul courcoul () campus qro itesm mx Servicios Computacionales Directo (4) 238-3181 ITESM Campus Queretaro Secretaria (4) 238-3175 Queretaro, Qro. Mexico Sky (800) 723-4500 PIN 5597110
Current thread:
- Re: An Analysis of the TACACS+ Protocol and its Implementations Juan M. Courcoul (Jun 01)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)
- HP Security vulnerability in the man command Jason Axley (Jun 02)
- MDMA Advisory #5: Reading of CGI Scripts under Savant Webserver Drew (Jun 05)
- Re: HP Security vulnerability in the man command Theo de Raadt (Jun 05)
- Re: HP Security vulnerability in the man command Philipp Buehler (Jun 06)
- Password Generation during RH Linux 6.x Installation William R. Lorenz (Jun 07)
- Re: Password Generation during RH Linux 6.x Installation Fabian Kroenner (Jun 08)
- Re: HP Security vulnerability in the man command V. T. Mueller (Jun 07)
- HP Security vulnerability in the man command Jason Axley (Jun 02)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)