exploit the possibilities

FreeBSD Security Advisory 2001.25

FreeBSD Security Advisory 2001.25
Posted Feb 16, 2001
Authored by The FreeBSD Project | Site freebsd.org

FreeBSD Security Advisory FreeBSD-SA-01:25 - Systems which have installed the optional Kerberos IV distribution are vulnerable to attacks via the telnet daemon due to an overflow in the libkrb KerberosIV authentication library and improper filtering of environmental variables by the KerberosIV-adapted telnet daemon.

tags | overflow
systems | freebsd
SHA-256 | f9a7aa773a778f96ba38dd1ff4ca14f8f41dbeeb995305ea23832d652efb4616

FreeBSD Security Advisory 2001.25

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:25 Security Advisory
FreeBSD, Inc.

Topic: Local and remote vulnerabilities in Kerberos IV

Category: core
Module: libkrb, telnetd
Announced: 2001-02-14
Credits: Jouko Pynnönen <jouko@solutions.fi>
Affects: FreeBSD 4.2-STABLE and 3.5-STABLE prior to the
correction dates.
Corrected: 2000-12-13 (FreeBSD 4.2-STABLE)
2000-12-15 (FreeBSD 3.5-STABLE)
FreeBSD only: NO

I. Background

telnetd is the server for the telnet remote login protocol, which is
available with optional support for the Kerberos authentication
protocol. libkrb is the library used for Kerberised applications
(including telnetd and login). FreeBSD includes the KTH Kerberos
implementation, which is externally maintained, contributed software,
as an optional part of the base system.

II. Problem Description

The advisory describes three vulnerabilities: first, an overflow in
the libkrb KerberosIV authentication library, second, improper
filtering of environmental variables by the KerberosIV-adapted telnet
daemon, and finally, a temporary file vulnerability in the KerberosIV
ticket management code.

A buffer overflow exists in the libkrb Kerberos authentication
library, which may be exploitable by malicious remote authentication
servers. This vulnerability exists in the kdc_reply_cipher() call.
An attacker may be able to overflow this buffer during an
authentication exchange, allowing the attacker to execute arbitrary
code with the privileges of the caller of kdc_reply_cipher().

The telnet protocol allows for UNIX environmental variables to be
passed from the client to the user login session on the server. The
base system telnet daemon, telnetd, goes the great lengths to limit
the variables passed so as to prevent them from improperly influencing
the login and authentication mechanisms. The telnet daemon used with
KerberosIV relied on an incomplete list of improper environment
variables to remove from the environment before executing the login
program. This is a similar vulnerability to that described in
Security Advisory 00:69.

Two environment variables have been identified that place users of
Kerberos at risk. The first allows the remote user to change the
Kerberos server used for authentication requests, increasing the
opportunity for an attacker to exploit the buffer overflow. The
second allows the configuration directory for Kerberos to be modified,
allowing an attacker with the right to modify the local file system to
cause Kerberos to autheticate using an improper configuration
(including Kerberos realm and server configuration, as well as
srvtab). These vulnerabilities may be used to leverage root access.

A race condition exists in the handling of ticket files in /tmp; this
vulnerability may be exploited by a local user to gain ownership of
arbitrary files in the file system. This vulnerability can be
leveraged to gain root access.

These vulnerabilities only exist on systems which have installed the
optional Kerberos IV distribution (whether or not it is configured),
which is not installed by default.

III. Impact

If your system has the KerberosIV distribution installed, remote and
local users may be able to obtain root privileges on the local system.

IV. Workaround

To prevent remote root compromise via the telnet service, disable the
telnet service, which is usually run out of inetd: comment out the
following lines in /etc/inetd.conf, if present.

telnet stream tcp nowait root /usr/libexec/telnetd telnetd

telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd

The local root compromise cannot be easily worked around.

V. Solution

One of the following:

1) Upgrade your vulnerable FreeBSD system to 4.2-STABLE or
3.5-STABLE after the respective correction dates.

2) Apply the relevant patch from below and recompile the affected
files:

Download the relevant patch and detached PGP signature from the
following locations, and verify the signature using your PGP utility.

[FreeBSD 4.2]
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4.2.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4.2.patch.asc

[FreeBSD 3.5.1]
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3.5.1.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3.5.1.patch.asc

NOTE: This patch assumes you have already applied the patch in security advisory
SA-00:69.

Execute the following commands as root:

# cd /usr/src
# patch -p < /path/to/patch
# cd /usr/src/kerberosIV
# make depend && make all install
# cd /usr/src/libexec/telnetd
# make depend && make all install
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBOopfGFUuHi5z0oilAQGIZwP+OTdYs+CQQ0oZegWsQRNkf6CJCCCu/ban
XWs5wIwEFESq8rCdtg4c6y2RKdF+oySU05nXRYG3gl2Il+71zjhTUnsXi2mM5WHi
on6m8GOB9EGurb2xszuqNBREa61wGoYZTptzm/NKW7meaDVDlCwe1Mq+orz7ai3m
WrEZuR94UFU=
=TyCm
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close