XTACACS DoS


From c_karma@HOTMAIL.COM Sat Dec 27 00:51:57 1997
From: Coaxial Karma 
To: BUGTRAQ@NETSPACE.ORG
Date: Tue, 23 Dec 1997 11:21:06 PST
Subject: Crashing an XTACACS authentication server

Hi,

I dunno if what follows has already been posted or not... Sorry if it
has been.

I recently discovered that when an ISP was using XTACACS server from
Vikas Aggarwal (vikas@navya.com) in a standalone mode, it was possible
to make the XTACACS server crash by sending it different type of ICMP
messages.

In order to exploit this, you only have to an ICMP unreachable message
specifying port unreachable.

Coaxial Karma
c_karma@hotmail.com

--- cut here ---

/************************************************************************
 *
 * xtacacs/udp killer v1.0 by Coaxial Karma, c_karma@hotmail.com
 * Modified version of nEWk.c by HyperioN
 *
 * Only few code has been modified: the loop for sending fake ICMP
packets
 * has been removed and arguments provided also changed.
 *

************************************************************************/

#include stdio.h
#include unistd.h
#include stdlib.h
#include string.h
#include sys/types.h
#include sys/socket.h
#include netdb.h
#include netinet/in.h
#include netinet/ip.h
#include netinet/ip_icmp.h

[snip...]