[tac_plus] Serious security bug in ACL handling of tacacs+-F4.0.4.20
Technic IT
Technic at connecta.net
Wed Dec 21 16:34:21 UTC 2011
Hello tac_plus developers,
First of all I would like to thank you for the great tacacs+ implementation.
While testing around with the acl of Version F4.0.4.20 I discovered
a bug in the procedure cfg_acl_check (implemented in the file config.c).
The line
if (regexec((regex_t *)next->value1, ip, 0, NULL, 0)) {
should be
if (regexec((regex_t *)next->value1, ip, 0, NULL, 0) == 0) {
>From different sources:
"If regexec() finds a match it returns zero; otherwise, it returns nonzero"
"regexec() returns zero for a successful match or REG_NOMATCH for failure"
Therefore all the acl work something like inverse which could lead
to serious security holes.
Kind regards
Valentin Schmid
Systemengineering
aurax connecta ag
Betreiber von KnS und ilnet
Bahnhofstrasse 2
7130 Ilanz
Telefon: +41 81 926 27 28
Telefax: +41 81 926 27 29
http://www.kns.ch
http://www.ilnet.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111221/ef061fd0/attachment.html>
More information about the tac_plus
mailing list