what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MITKRB5-SA-2005-002.txt

MITKRB5-SA-2005-002.txt
Posted Jul 13, 2005
Site web.mit.edu

MIT krb5 Security Advisory 2005-002 - KDC is susceptible to a buffer overflow and to heap corruption.

tags | advisory, overflow
advisories | CVE-2005-1174, CVE-2005-1175
SHA-256 | 8ff75e490e1fcbb8b37693e060305697d011a5db2eedf60375cc98a8368833ff

MITKRB5-SA-2005-002.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

MIT krb5 Security Advisory 2005-002

Original release: 2005-07-12

Topic: buffer overflow, heap corruption in KDC

Severity: CRITICAL

SUMMARY
=======

The MIT krb5 Key Distribution Center (KDC) implementation can corrupt
the heap by attempting to free memory at a random address when it
receives a certain unlikely (but valid) request via a TCP connection.
This attempt to free unallocated memory can result in a KDC crash and
consequent denial of service. [CAN-2005-1174, VU#259798]

Additionally, the same request, when received by the KDC via either
TCP or UDP, can trigger a bug in the krb5 library which results in a
single-byte overflow of a heap buffer. Application servers are
vulnerable to a highly improbable attack, provided that the attacker
controls a realm sharing a cross-realm key with the target
realm. [CAN-2005-1175, VU#885830]

An unauthenticated attacker may be able to use these vulnerabilities
to execute arbitrary code on the KDC host, potentially compromising an
entire Kerberos realm. No exploit code is known to exist at this
time. Exploitation of these vulnerabilities is believed to be
difficult.

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code on
the KDC host, potentially compromising an entire Kerberos realm. An
unsuccessful attack against the heap corruption vulnerability may
result in a denial of service by crashing the KDC process.

AFFECTED SOFTWARE
=================

* [CAN-2005-1174] affects the KDC implementation in all MIT krb5
releases supporting TCP client connections to the KDC. This
includes krb5-1.3 and later releases, up to and including
krb5-1.4.1.

* [CAN-2005-1175] affects KDC implementations and application servers
in all MIT krb5 releases, up to and including krb5-1.4.1.
Third-party application servers which use MIT krb5 are also
affected.

FIXES
=====

* The upcoming krb5-1.4.2 release will have fixes for these
vulnerabilities.

* WORKAROUNDS: Disabling TCP support in the KDC avoids one
vulnerability [CAN-2005-1174]. The single-byte overflow
[CAN-2005-1175] is still possible even without KDC TCP support
enabled. Running the KDC from init or from some similar automatic
respawning facility may reduce the durations of denials of service,
but this approach may make it difficult to detect deliberate attacks
targeted at code execution.

* Apply the patch at:

http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt.asc

The patch was generated against the krb5-1.4.1 release. It may
apply, with some offset, to earlier releases. On releases prior to
krb5-1.3, only the patch to lib/krb5/krb/unparse.c should be
necessary.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVE: CAN-2005-1174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174

CERT: VU#259798
http://www.kb.cert.org/vuls/id/259798

CVE: CAN-2005-1175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175

CERT: VU#885830
http://www.kb.cert.org/vuls/id/885830

ACKNOWLEDGMENTS
===============

Thanks to Daniel Wachdorf for reporting these vulnerabilities.

DETAILS
=======

Kerberos 5 principal names may have an arbitrary number of components.
The krb5_unparse_name() function in the MIT krb5 library converts an
internal representation of a Kerberos principal name into a
human-readable string. The internal representation might have
originated from the decoding of a Kerberos protocol message.

The single-byte overflow occurs whenever the krb5_unparse_name()
function is called on a principal name having zero components. The
function writes a null byte to an address one beyond the end of a
buffer allocated my malloc(). The corresponding krb5_parse_name()
function never generates an internal representation having zero
components; instead, it generates at least one zero-length component.
The current string representation form of Kerberos principal names has
some ambiguity between a zero-component principal name and a
one-component principal name having a zero-length single component.

Application servers which call krb5_unparse_name(), directly or
indirectly, are vulnerable to the single-byte overflow in
krb5_unparse_name(), provided that the attacker controls a realm which
shares a cross-realm key with the target realm. This enables the
attacker to use a cross-realm ticket for a zero-component client
principal name, which the application server will then pass to
krb5_unparse_name(), triggering the single-byte overflow.

For this attack to succeed, the attacker needs access to a KDC in the
target realm which will create a ticket for a zero-component client
principal name. Since the current MIT krb5 KDC implementation will
refuse to create such a ticket, the attack is unlikely to succeed
unless the implementation has been altered to allow the issuance of
tickets for zero-component client principal names.

When the KDC fails to find the principal with a zero-component name in
its database (such a principal is very unlikely to exist in most
databases, as there are extremely few uses for such a principal), it
attempts to encode an error packet containing the offending principal
name, using prepare_error_as() or prepare_error_tgs(). This encoding
attempt fails inside encode_krb5_error(), since the ASN.1 encoder
function asn1_encode_principal_name() interprets the internal
representation of a zero-component principal name as an error
condition.

encode_krb5_error() does not allocate an output buffer when it
encounters an error condition. While the UDP request handling code in
kdc/network.c:process_packet() does not attempt to free the output
buffer containing the encoded message when it encounters an error, the
TCP request handling code in process does free the buffer inside
kill_tcp_connection(), which attempts to free unallocated memory
pointed to by an uninitialized pointer.

REVISION HISTORY
================

2005-05-12 original release

Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQtMbCabDgE/zdoE9AQFo9QP5AZMbr0YGmyzYbARTqFq+Lt+FYbfQ7XC/
c1hqTfsTkN0Mfh1I5d6dTjhXQT6kfN+EdNYfPhY+4LANB5CW9xe9BARPcW9i2ftt
xSTIODrD6LdNtOCCut1ha3T5tcV5GodvXzj7dSClde29j0IJR6dBcigfvR4mAygw
/U7r46obgM0=
=SnqK
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close