|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: An Analysis of the TACACS+ Protocol and its Implementations
From: Dylan (db70
LOA.COM)Date: Fri Jun 02 2000 - 17:13:01 CDT
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-037)"
- Previous message: noir: "Re: Netwin's Dmail package"
- In reply to: Eccentric: "Re: An Analysis of the TACACS+ Protocol and its Implementations"
- Next in thread: Fyodor: "Re: An Analysis of the TACACS+ Protocol and its Implementations"
- Reply: Dylan: "Re: An Analysis of the TACACS+ Protocol and its Implementations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello there..
Also, note what happens when you change an enable (or any other, for
that matter) password:
Sat Apr 22 09:01:03 2000 x.x.x.x xxxxxxx tty1
x.x.x.x stop task_id=131 start_time=956171839
timezone=UTC service=shell priv-lvl=0 cmd=password <cleartext>
<cr>
The log entry is sent & stored in cleartext. The best suggestion I've
heard is to disable aaa before changing passwords and then turn
it back on when you're done.
..dylan
.+'''+.
D B 7 0 loa.com
`+.,.+' dylan
On Thu, 1 Jun 2000, Eccentric wrote:
> A simple but potentially devastating situation I have found while using the
> Cisco Secure ACS software and Cisco's TACACS+ (or RADIUS) implementation is
> in the AAA log files. The log files are stored on the ACS server in plain
> text. The log files contain session information including failed attempts.
> The TACACS ACS authentication server will record plain text usernames and
> encrypted passwords in the log files. The problem is during connection
> latency, occasionally, the username does not get recorded and in its place
> is the password in plain text. The Dial out client is also essentially a
> telnet session and we know that it is sniffer vulnerable. There is a latency
> authentication error problem I contacted Cisco about concerning the Dial out
> client for NT a year ago. The only way to protect the stored log files is
> with proper file permissions. If read permissions are available then you are
> compromised. If you have a promiscuous sniffing user then the telnet
> sessions to the router is a goner as well. Your intruder only has to wait
> for an ACS TACACS+ (or RADIUS) administrator to get enabled or just the
> average user account to get a free ride.
>
> This is an inside threat unless your intruder is sniffing the gateway.
>
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQSECURITYFOCUS.COM]On Behalf Of Juan
> M. Courcoul
> Sent: Thursday, June 01, 2000 10:41 AM
> To: BUGTRAQSECURITYFOCUS.COM
> Subject: Re: An Analysis of the TACACS+ Protocol and its Implementations
>
>
> On Tue, 30 May 2000, Solar Designer wrote:
>
> > OW-001-tac_plus, revision 1
> > May 30, 2000
> >
> > An Analysis of the TACACS+ Protocol and its Implementations
> > -----------------------------------------------------------
> ...
>
> First off, many thanks to Solar Designer for this insightful TACACS+
> analysis.
>
> For those of us who have opted to use RADIUS instead of TACACS, is there
> an equivalent vulnerability analysis available somewhere ?
>
> Thanks,
>
> J. Courcoul courcoulcampus.qro.itesm.mx
> Servicios Computacionales Directo (4) 238-3181
> ITESM Campus Queretaro Secretaria (4) 238-3175
> Queretaro, Qro. Mexico Sky (800) 723-4500 PIN 5597110
>
- Next message: Microsoft Product Security: "Microsoft Security Bulletin (MS00-037)"
- Previous message: noir: "Re: Netwin's Dmail package"
- In reply to: Eccentric: "Re: An Analysis of the TACACS+ Protocol and its Implementations"
- Next in thread: Fyodor: "Re: An Analysis of the TACACS+ Protocol and its Implementations"
- Reply: Dylan: "Re: An Analysis of the TACACS+ Protocol and its Implementations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]