what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MITKRB-SA-2006-001.txt

MITKRB-SA-2006-001.txt
Posted Aug 18, 2006
Site web.mit.edu

MIT krb5 Security Advisory 2006-001 - In certain application programs packaged in the MIT Kerberos 5 source distribution, calls to setuid() and seteuid() are not always checked for success. A local user could exploit one of these vulnerabilities to result in privilege escalation.

tags | advisory, local, vulnerability
advisories | CVE-2006-3083, CVE-2006-3084
SHA-256 | 5db9ff2738fcd6d0a0ced2e2d5163d49ea87c62d41b14cf20dadce5116a9f956

MITKRB-SA-2006-001.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MIT krb5 Security Advisory 2006-001

Original release: 2006-08-08

Topic: multiple local privilege escalation vulnerabilities

Severity: serious

SUMMARY
=======

In certain application programs packaged in the MIT Kerberos 5 source
distribution, calls to setuid() and seteuid() are not always checked
for success. A local user could exploit one of these vulnerabilities
to result in privilege escalation. No exploit code is known to exist
at this time. It is believed that the primary risk is to Linux
systems, due to the behavior of their implementation of the setuid()
and seteuid() system calls.

IMPACT
======

Actual impact depends on implementation details within a specific
operating system. Vulnerabilities result when the OS implementations
of setuid() or seteuid() can fail due to resource exhaustion when
changing to an unprivileged user ID. We believe that only unchecked
calls to setuid(), and not calls to seteuid(), are vulnerable on
Linux.

On AIX, Kerberos applications provided by IBM are not vulnerable. If,
in place of or in addition to IBM-provided Kerberos applications, MIT
krb5 code is installed on an AIX system, the affected MIT krb5
applications are vulnerable to the setuid() issues listed in
CVE-2006-3083. We believe that no other operating systems are
affected.

[CVE-2006-3083, VU#580124] The following vulnerabilities may result
from unchecked calls to setuid(), and are believed to only exist on
Linux and AIX:

* Unchecked calls to setuid() in krshd may allow a local privilege
escalation leading to execution of programs as root.

* Unchecked calls to setuid() in the v4rcp may allow a local privilege
escalation leading to reading, writing, or creating files as root.
v4rcp is the remote end of a krb4-authenticated rcp operation, but
may be executed directly by an attacker, as it is a setuid program.

[CVE-2006-3084, VU#401660] The following vulnerabilities may result
from unchecked calls to seteuid(). These vulnerabilities are not yet
known to exist on any operating system:

* Unchecked calls to seteuid() in ftpd may allow a local privilege
escalation leading to reading, writing, or creating files as root.

* Unchecked calls to seteuid() in the ksu program may allow a local
privilege escalation resulting in filling a file with null bytes as
root and then deleting it (the "kdestroy" operation).

AFFECTED SOFTWARE
=================

* The above-listed programs are vulnerable in all releases of MIT
krb5, up to and including krb5-1.5. The krb5-1.5.1 and krb5-1.4.4
releases will contain fixes for these problems.

FIXES
=====

* The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes
for these vulnerabilities.

* Disable krshd and ftpd, and remove the setuid bit from the ksu
binary and the v4rcp binary.

* For the krb5-1.5 release, apply the patch at

http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt

A PGP-signed version of this patch is at

http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt.asc

This patch was generated against the krb5-1.5 release, and may apply
to earlier releases with some fuzz. The patch also updates some
calls to other setuid-like system calls on less-common operating
systems, though these calls are less likely to be vulnerable.

* For the krb5-1.4.3 release, apply the patch at

http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt

A PGP-signed version of this patch is at

http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt

This patch was generated against the krb5-1.4.3 release, and may apply
to earlier releases with some fuzz. The patch also updates some
calls to other setuid-like system calls on less-common operating
systems, though these calls are less likely to be vulnerable.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVE: CVE-2006-3083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083

CERT: VU#580124
http://www.kb.cert.org/vuls/id/580124

CVE: CVE-2006-3084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084

CERT: VU#401660
http://www.kb.cert.org/vuls/id/401660

ACKNOWLEDGMENTS
===============

Thanks to Michael Calmer and Marcus Meissner at SUSE for reporting
this problem.

Thanks to Shiva Persaud at IBM for information on AIX.

DETAILS
=======

Typically, setuid(), seteuid(), and similar system calls cannot fail
except in cases of inadequate privilege or system misconfiguration.
Unlike other operating systems, Linux and AIX system calls which
change the real user ID can fail if the change would cause the target
user ID to exceed its quota of allowed processes. A local attacker
may be able to exhaust a process quota in a way which artificially
creates such a failure condition. This may result in privilege
escalation when a program making an unchecked call to one of these
system calls expects to continue execution with reduced privilege
following the affected call, but instead continues to run as a
privileged user.

Specific places where various system calls are not checked include:

appl/bsd/krcp.c: setreuid (uncompiled code), setuid (irrelevant
because not installed setuid)
appl/bsd/krshd.c: setuid
appl/bsd/krsh.c: setuid (irrelevant because not installed setuid)
appl/bsd/v4rcp.c: setuid
appl/gssftp/ftpd/ftpd.c: seteuid
client/ksu/main.c: seteuid
lib/krb4/kuserok.c: seteuid (but likely irrelevant)

REVISION HISTORY
================

2006-08-08 original release

Copyright (C) 2006 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (SunOS)

iQCVAwUBRNjfg6bDgE/zdoE9AQLnKQP8DAikPgsCxRiOVj2QnX66VnBl2Nsm7irs
NeO/8yiP9QpliPk4h/6p9Q1Wc70H/C4ICWgufVDiIHbnUc4MGS4GVUzZtvQelrC1
4WTZyxLFfEZQzbNk6FUBw3W0P38IrUX2FQsLTp9R4S3iWFMI5Udkb5XX60zwo9w2
79rpIw5g8vY=
=x/vF
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close