what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MITKRB5-SA-2007-005.txt

MITKRB5-SA-2007-005.txt
Posted Jun 29, 2007
Site web.mit.edu

MIT krb5 Security Advisory 2007-005 - The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow.

tags | advisory, overflow
advisories | CVE-2007-2798
SHA-256 | 5915f86c61c9564dc34aa5cb655f913b024147f3860c66cbc95b45eba5a08091

MITKRB5-SA-2007-005.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MIT krb5 Security Advisory 2007-005

Original release: 2007-06-26
Last update: 2007-06-26

Topic: kadmind vulnerable to buffer overflow

Severity: CRITICAL

CVE: CVE-2007-2798
CERT: VU#554257

SUMMARY
=======

The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a stack buffer overflow.

Exploitation of overflows of stack buffers is known to be simple. We
have received a proof-of-concept exploit which may invoke a shell, but
we believe that this exploit is not publicly circulated.

This is a bug in kadmind in MIT krb5. It is not a bug in the Kerberos
protocol.

IMPACT
======

An authenticated remote user may be able to cause a host running
kadmind to execute arbitrary code.

Successful exploitation can compromise the Kerberos key database and
host security on the KDC host. (kadmind typically runs as root.)
Unsuccessful exploitation attempts will likely result in kadmind
crashing.

AFFECTED SOFTWARE
=================

* kadmind from MIT releases up to and including krb5-1.6.1

FIXES
=====

* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4
maintenance release, will contain fixes for this vulnerability.

Prior to that release you may:

* apply the patch

This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite.
The krb5-1.6.1 and krb5-1.5.3 releases already contains the
prerequisite patch.

This patch is also available at

http://web.mit.edu/kerberos/advisories/2007-005-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc

*** src/kadmin/server/server_stubs.c (revision 20024)
- --- src/kadmin/server/server_stubs.c (local)
***************
*** 545,557 ****
static generic_ret ret;
char *prime_arg1,
*prime_arg2;
- - char prime_arg[BUFSIZ];
gss_buffer_desc client_name,
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
char *errmsg;

xdr_free(xdr_generic_ret, &ret);

- --- 545,558 ----
static generic_ret ret;
char *prime_arg1,
*prime_arg2;
gss_buffer_desc client_name,
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
char *errmsg;
+ size_t tlen1, tlen2, clen, slen;
+ char *tdots1, *tdots2, *cdots, *sdots;

xdr_free(xdr_generic_ret, &ret);

***************
*** 572,578 ****
ret.code = KADM5_BAD_PRINCIPAL;
goto exit_func;
}
! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);

ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
- --- 573,586 ----
ret.code = KADM5_BAD_PRINCIPAL;
goto exit_func;
}
! tlen1 = strlen(prime_arg1);
! trunc_name(&tlen1, &tdots1);
! tlen2 = strlen(prime_arg2);
! trunc_name(&tlen2, &tdots2);
! clen = client_name.length;
! trunc_name(&clen, &cdots);
! slen = service_name.length;
! trunc_name(&slen, &sdots);

ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
***************
*** 590,597 ****
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! log_unauth("kadm5_rename_principal", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
- --- 598,612 ----
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! krb5_klog_syslog(LOG_NOTICE,
! "Unauthorized request: kadm5_rename_principal, "
! "%.*s%s to %.*s%s, "
! "client=%.*s%s, service=%.*s%s, addr=%s",
! tlen1, prime_arg1, tdots1,
! tlen2, prime_arg2, tdots2,
! clen, client_name.value, cdots,
! slen, service_name.value, sdots,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
***************
*** 600,607 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

! log_done("kadm5_rename_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg1);
- --- 615,629 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

! krb5_klog_syslog(LOG_NOTICE,
! "Request: kadm5_rename_principal, "
! "%.*s%s to %.*s%s, %s, "
! "client=%.*s%s, service=%.*s%s, addr=%s",
! tlen1, prime_arg1, tdots1,
! tlen2, prime_arg2, tdots2, errmsg,
! clen, client_name.value, cdots,
! slen, service_name.value, sdots,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
free(prime_arg1);

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVE: CVE-2007-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798

CERT: VU#554257
http://www.kb.cert.org/vuls/id/554257

ACKNOWLEDGMENTS
===============

We thank iDefense for the initial notification. iDefense credits an
anonymous discoverer.

DETAILS
=======

The kadmind code which performs the principal renaming operation
passes unchecked string arguments to a sprintf() call which has a
fixed-size stack buffer as its destination. These strings are the old
and new principal names passed to the rename operation. The attacker
needs to authenticate to kadmind to perform this attack, but no
administrative privileges are required because the vulnerable code
executes prior to privilege verification.

REVISION HISTORY
================

2007-06-26 original release

Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y
NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI
42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r
Xfd3cRNQogQ=
=JE8k
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close