cbcvebase.
CVE-2008-7232
published 2009-09-14

CVE-2008-7232: Buffer overflow in the report function in xtacacsd 4.1.2 and earlier allows remote attackers to execute arbitrary code via a crafted CONNECT TACACS command.

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
24.51%
97.6th percentile
Buffer overflow in the report function in xtacacsd 4.1.2 and earlier allows remote attackers to execute arbitrary code via a crafted CONNECT TACACS command.

Affected

11 ranges
VendorProductVersion rangeFixed in
netplex-techxtacacsd<= 4.1.2
netplex-techxtacacsd
netplex-techxtacacsd
netplex-techxtacacsd
netplex-techxtacacsd
netplex-techxtacacsd
netplex-techxtacacsd
netplex-techxtacacsd
netplex-techxtacacsd
netplex-techxtacacsd
netplex-techxtacacsd

Detection & IOCsextracted from sources · hover to see the quote

port49/udp
commandCONNECT TACACS command with overly long username field (0xff / 255-byte username length)
bytes
\x80\x05\xff\xff\xff\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00
  • Detect oversized XTACACS CONNECT packets on UDP/49 where the username length field is set to 0xff (255), far exceeding normal bounds — indicative of the report() buffer overflow exploit.
  • Monitor UDP/49 (TACACS) traffic for XTACACS packets with packet type byte 0x05 (Connect) and a version byte of 0x80, combined with a payload length consistent with a 238-byte NOP sled plus shellcode.
  • Flag XTACACS CONNECT packets on UDP/49 where the total packet size approaches or exceeds 238 bytes (NOP sled + encoded payload + return address), as the exploit pads to exactly 238 bytes before appending the return address.
  • The exploit targets FreeBSD 6.2-Release via brute-force return address in the range 0xbfbfea00–0xbfbfef00 (step 24); repeated UDP/49 connections from the same source cycling through this address range indicate active exploitation.
  • Bad characters filtered by the exploit payload encoder are: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20 — shellcode in the packet will not contain these bytes, which can help distinguish exploit traffic from benign TACACS traffic.
  • ·The Metasploit module uses a brute-force approach against FreeBSD 6.2-Release only; other BSD/OS targets or xtacacsd versions ≤4.1.2 may be vulnerable but require different return addresses.
  • ·Payload space is tightly constrained to 175 bytes; the exploit prepends a stack adjustment stub (\x83\xec\x7f) and sets StackAdjustment to -3500 to avoid clobbering the payload on the stack.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.