exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MITKRB5-SA-2007-005.txt

MITKRB5-SA-2007-005.txt
Posted Jun 29, 2007
Site web.mit.edu

MIT krb5 Security Advisory 2007-005 - The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow.

tags | advisory, overflow
advisories | CVE-2007-2798
SHA-256 | 5915f86c61c9564dc34aa5cb655f913b024147f3860c66cbc95b45eba5a08091

MITKRB5-SA-2007-005.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MIT krb5 Security Advisory 2007-005

Original release: 2007-06-26
Last update: 2007-06-26

Topic: kadmind vulnerable to buffer overflow

Severity: CRITICAL

CVE: CVE-2007-2798
CERT: VU#554257

SUMMARY
=======

The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a stack buffer overflow.

Exploitation of overflows of stack buffers is known to be simple. We
have received a proof-of-concept exploit which may invoke a shell, but
we believe that this exploit is not publicly circulated.

This is a bug in kadmind in MIT krb5. It is not a bug in the Kerberos
protocol.

IMPACT
======

An authenticated remote user may be able to cause a host running
kadmind to execute arbitrary code.

Successful exploitation can compromise the Kerberos key database and
host security on the KDC host. (kadmind typically runs as root.)
Unsuccessful exploitation attempts will likely result in kadmind
crashing.

AFFECTED SOFTWARE
=================

* kadmind from MIT releases up to and including krb5-1.6.1

FIXES
=====

* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4
maintenance release, will contain fixes for this vulnerability.

Prior to that release you may:

* apply the patch

This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite.
The krb5-1.6.1 and krb5-1.5.3 releases already contains the
prerequisite patch.

This patch is also available at

http://web.mit.edu/kerberos/advisories/2007-005-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc

*** src/kadmin/server/server_stubs.c (revision 20024)
- --- src/kadmin/server/server_stubs.c (local)
***************
*** 545,557 ****
static generic_ret ret;
char *prime_arg1,
*prime_arg2;
- - char prime_arg[BUFSIZ];
gss_buffer_desc client_name,
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
char *errmsg;

xdr_free(xdr_generic_ret, &ret);

- --- 545,558 ----
static generic_ret ret;
char *prime_arg1,
*prime_arg2;
gss_buffer_desc client_name,
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
char *errmsg;
+ size_t tlen1, tlen2, clen, slen;
+ char *tdots1, *tdots2, *cdots, *sdots;

xdr_free(xdr_generic_ret, &ret);

***************
*** 572,578 ****
ret.code = KADM5_BAD_PRINCIPAL;
goto exit_func;
}
! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);

ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
- --- 573,586 ----
ret.code = KADM5_BAD_PRINCIPAL;
goto exit_func;
}
! tlen1 = strlen(prime_arg1);
! trunc_name(&tlen1, &tdots1);
! tlen2 = strlen(prime_arg2);
! trunc_name(&tlen2, &tdots2);
! clen = client_name.length;
! trunc_name(&clen, &cdots);
! slen = service_name.length;
! trunc_name(&slen, &sdots);

ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
***************
*** 590,597 ****
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! log_unauth("kadm5_rename_principal", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
- --- 598,612 ----
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! krb5_klog_syslog(LOG_NOTICE,
! "Unauthorized request: kadm5_rename_principal, "
! "%.*s%s to %.*s%s, "
! "client=%.*s%s, service=%.*s%s, addr=%s",
! tlen1, prime_arg1, tdots1,
! tlen2, prime_arg2, tdots2,
! clen, client_name.value, cdots,
! slen, service_name.value, sdots,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
***************
*** 600,607 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

! log_done("kadm5_rename_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg1);
- --- 615,629 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

! krb5_klog_syslog(LOG_NOTICE,
! "Request: kadm5_rename_principal, "
! "%.*s%s to %.*s%s, %s, "
! "client=%.*s%s, service=%.*s%s, addr=%s",
! tlen1, prime_arg1, tdots1,
! tlen2, prime_arg2, tdots2, errmsg,
! clen, client_name.value, cdots,
! slen, service_name.value, sdots,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
free(prime_arg1);

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVE: CVE-2007-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798

CERT: VU#554257
http://www.kb.cert.org/vuls/id/554257

ACKNOWLEDGMENTS
===============

We thank iDefense for the initial notification. iDefense credits an
anonymous discoverer.

DETAILS
=======

The kadmind code which performs the principal renaming operation
passes unchecked string arguments to a sprintf() call which has a
fixed-size stack buffer as its destination. These strings are the old
and new principal names passed to the rename operation. The attacker
needs to authenticate to kadmind to perform this attack, but no
administrative privileges are required because the vulnerable code
executes prior to privilege verification.

REVISION HISTORY
================

2007-06-26 original release

Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y
NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI
42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r
Xfd3cRNQogQ=
=JE8k
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close