CVE-2008-7232
published 2009-09-14CVE-2008-7232: Buffer overflow in the report function in xtacacsd 4.1.2 and earlier allows remote attackers to execute arbitrary code via a crafted CONNECT TACACS command.
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
24.51%
97.6th percentile
Buffer overflow in the report function in xtacacsd 4.1.2 and earlier allows remote attackers to execute arbitrary code via a crafted CONNECT TACACS command.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netplex-tech | xtacacsd | <= 4.1.2 | — |
| netplex-tech | xtacacsd | — | — |
| netplex-tech | xtacacsd | — | — |
| netplex-tech | xtacacsd | — | — |
| netplex-tech | xtacacsd | — | — |
| netplex-tech | xtacacsd | — | — |
| netplex-tech | xtacacsd | — | — |
| netplex-tech | xtacacsd | — | — |
| netplex-tech | xtacacsd | — | — |
| netplex-tech | xtacacsd | — | — |
| netplex-tech | xtacacsd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x80\x05\xff\xff\xff\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00
- →Detect oversized XTACACS CONNECT packets on UDP/49 where the username length field is set to 0xff (255), far exceeding normal bounds — indicative of the report() buffer overflow exploit. ↗
- →Monitor UDP/49 (TACACS) traffic for XTACACS packets with packet type byte 0x05 (Connect) and a version byte of 0x80, combined with a payload length consistent with a 238-byte NOP sled plus shellcode. ↗
- →Flag XTACACS CONNECT packets on UDP/49 where the total packet size approaches or exceeds 238 bytes (NOP sled + encoded payload + return address), as the exploit pads to exactly 238 bytes before appending the return address. ↗
- →The exploit targets FreeBSD 6.2-Release via brute-force return address in the range 0xbfbfea00–0xbfbfef00 (step 24); repeated UDP/49 connections from the same source cycling through this address range indicate active exploitation. ↗
- →Bad characters filtered by the exploit payload encoder are: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20 — shellcode in the packet will not contain these bytes, which can help distinguish exploit traffic from benign TACACS traffic. ↗
- ·The Metasploit module uses a brute-force approach against FreeBSD 6.2-Release only; other BSD/OS targets or xtacacsd versions ≤4.1.2 may be vulnerable but require different return addresses. ↗
- ·Payload space is tightly constrained to 175 bytes; the exploit prepends a stack adjustment stub (\x83\xec\x7f) and sets StackAdjustment to -3500 to avoid clobbering the payload on the stack. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Xtacacsd 4.1.2 - 'report()' Remote Buffer Overflow (Metasploit)
exploitdb·2008-01-08
CVE-2008-7232 Xtacacsd 4.1.2 - 'report()' Remote Buffer Overflow (Metasploit)
Xtacacsd 4.1.2 - 'report()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: xtacacsd_report.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'XTACACSD %q{
This module exploits a stack buffer overflow in XTACACSD 'MC',
'Version' => '$Revision: 9262 $',
'References' =>
[
['CVE', '2008-7232'],
['OSVDB', '58140'],
['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],
],
'Payload' =>
{
'Space' => 175,
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
'StackAdjustment' => -3500,
'PrependEncoder' => "\x83\
Metasploit
XTACACSD report() Buffer Overflow
metasploit
XTACACSD report() Buffer Overflow
XTACACSD report() Buffer Overflow
This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By sending a specially crafted XTACACS packet with an overly long username, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
2009-09-14
Published