Bugtraq mailing list archives
Re: Crashing an XTACACS authentication server
From: alan () MANAWATU GEN NZ (Alan Brown)
Date: Wed, 24 Dec 1997 15:39:39 +1300
At 11:21 23/12/97 -0800, Coaxial Karma wrote:
I recently discovered that when an ISP was using XTACACS server from Vikas Aggarwal (vikas () navya com) in a standalone mode, it was possible to make the XTACACS server crash by sending it different type of ICMP messages.
Nasty, but... This reinforces the recommendation in Vikas' documentation that xtacacsd be run out of inetd in persistent mode and not in standalone mode. Having login/logout control die will at best generate a flurry of support calls plus mess up time-based accounting or at worst, cost an ISP customers. Thankfully Tacacs based clients usually default to "no response = no access", so it only really becomes a security issue if a bogus tacacs server can be installed on the network _and_ the tacacs servers are configured to look at it. (Discounting forged udp tacacs responses). AB
Current thread:
- Crashing an XTACACS authentication server Coaxial Karma (Dec 23)
- Re: Crashing an XTACACS authentication server Alan Brown (Dec 23)
- man problem Thomas Fischbacher (Dec 24)
- Re: man problem fluffy () BENATAR DUNADAN COM (Dec 26)