----------------------------

The program tac_plus, an example and unsupported TACACS+ server
developed by Cisco, insecurely 
creates files. 

Author: Kevin A. Nassery
Email: kevin@nassery.org



Small description ;-) I have had a *very* rough weekend ;-)))


-----------------------------

Regards,

Niels 



Software: tac_plus version F4.0.4.alpha, compiled 
        on Solaris 8 sparc. 

Abstract: 
tac_plus version F4.0.4.alpha, an example Tacacs+ daemon released 
(but not supported) by Cisco isn't careful with it's permissions when 
creating accounting files. 

Vulneribility: 
Any file defined with and accounting directive, in a tac_plus 
config file, is create with file permissions set at 666. 

Allowing any system account to modify its contents. 

When appending to the file, if it's not there initially, it is created. 
When it is created it is done so with file permissions set at 666. 
A simple work arround is to create a file, at the path set in the 
config file, and manually set the permission to 600. The tac_plus 
daemon will continue to append to the file, without setting the 
permissions back to 666. I just wanted to make sure this was out there 
for people who are rotating logs, and just letting the daemon create 
new files. 

Kevin Nassery 
Network & Security Engineer 
http://nassery.org