[15180] in bugtraq
Re: An Analysis of the TACACS+ Protocol and its Implementations
daemon@ATHENA.MIT.EDU (Dylan)
Sat Jun 3 20:50:16 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.21.0006021803190.23650-100000@deity.loa.com>
Date: Fri, 2 Jun 2000 18:13:01 -0400
Reply-To: Dylan <db70@LOA.COM>
From: Dylan <db70@LOA.COM>
X-To: Eccentric <ecentric@BELLSOUTH.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NDBBJOHPKMBKGIODLGKOIEBGCDAA.ecentric@bellsouth.net>
Hello there..
Also, note what happens when you change an enable (or any other, for
that matter) password:
Sat Apr 22 09:01:03 2000 x.x.x.x xxxxxxx tty1
x.x.x.x stop task_id=131 start_time=956171839
timezone=UTC service=shell priv-lvl=0 cmd=password <cleartext>
<cr>
The log entry is sent & stored in cleartext. The best suggestion I've
heard is to disable aaa before changing passwords and then turn
it back on when you're done.
..dylan
.+'''+.
D B 7 0 @loa.com
`+.,.+' dylan
On Thu, 1 Jun 2000, Eccentric wrote:
> A simple but potentially devastating situation I have found while using the
> Cisco Secure ACS software and Cisco's TACACS+ (or RADIUS) implementation is
> in the AAA log files. The log files are stored on the ACS server in plain
> text. The log files contain session information including failed attempts.
> The TACACS ACS authentication server will record plain text usernames and
> encrypted passwords in the log files. The problem is during connection
> latency, occasionally, the username does not get recorded and in its place
> is the password in plain text. The Dial out client is also essentially a
> telnet session and we know that it is sniffer vulnerable. There is a latency
> authentication error problem I contacted Cisco about concerning the Dial out
> client for NT a year ago. The only way to protect the stored log files is
> with proper file permissions. If read permissions are available then you are
> compromised. If you have a promiscuous sniffing user then the telnet
> sessions to the router is a goner as well. Your intruder only has to wait
> for an ACS TACACS+ (or RADIUS) administrator to get enabled or just the
> average user account to get a free ride.
>
> This is an inside threat unless your intruder is sniffing the gateway.
>
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Juan
> M. Courcoul
> Sent: Thursday, June 01, 2000 10:41 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: An Analysis of the TACACS+ Protocol and its Implementations
>
>
> On Tue, 30 May 2000, Solar Designer wrote:
>
> > OW-001-tac_plus, revision 1
> > May 30, 2000
> >
> > An Analysis of the TACACS+ Protocol and its Implementations
> > -----------------------------------------------------------
> ...
>
> First off, many thanks to Solar Designer for this insightful TACACS+
> analysis.
>
> For those of us who have opted to use RADIUS instead of TACACS, is there
> an equivalent vulnerability analysis available somewhere ?
>
> Thanks,
>
> J. Courcoul courcoul@campus.qro.itesm.mx
> Servicios Computacionales Directo (4) 238-3181
> ITESM Campus Queretaro Secretaria (4) 238-3175
> Queretaro, Qro. Mexico Sky (800) 723-4500 PIN 5597110
>
