exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MITKRB5-SA-2007-006-2.txt

MITKRB5-SA-2007-006-2.txt
Posted Sep 6, 2007
Site web.mit.edu

MIT krb5 Security Advisory 2007-006 - The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow in the RPCSEC_GSS authentication flavor of the RPC library. Third-party applications using the RPC library provided with MIT krb5 may also be affected. Updated version of the original advisory with a fixed patch.

tags | advisory, overflow
advisories | CVE-2007-3999, CVE-2007-4000
SHA-256 | c517f29d3963a74e5996d51015499a26393ca2069f0a85df1eae3889e291d2f7

MITKRB5-SA-2007-006-2.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team has discovered a problem with the originally
published patch for svc_auth_gss.c [CVE-2007-3999], which allowed a
32-byte overflow. Depending on the compilation environment and
machine architecture, this may or may not be a significant continued
vulnerability. The new patch in the updated advisory (below)
correctly checks the buffer length.

Thanks to Kevin Coffman (UMich), Will Fiveash (Sun), and Nico Williams
(Sun) for discovering the bug in the initial CVE-2007-3999 patch and
for help with developing the revised patch for CVE-2007-3999.

====================

MIT krb5 Security Advisory 2007-006

Original release: 2007-09-04
Last update: 2007-09-05

Topic: kadmind RPC lib buffer overflow, uninitialized pointer

[CVE-2007-3999/VU#883632]
RPC library buffer overflow

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 10

Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete

CVSSv2 Temporal Score: 7.8

Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed

[CVE-2007-4000/VU#377544]
kadmind uninitialized pointer

CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

See DETAILS for the expanded CVSSv2 metrics for this vulnerability.

SUMMARY
=======

This advisory concerns two vulnerabilities. CVE-2007-3999 is much
easier to exploit than CVE-2007-4000.

[CVE-2007-3999]

The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a stack buffer overflow in the RPCSEC_GSS authentication flavor of the
RPC library. Third-party applications using the RPC library provided
with MIT krb5 may also be affected.

We have received a proof-of-concept exploit that does not appear to
execute malicious code, and we believe that this exploit is not
publicly circulated.

This is a bug in the RPC library in MIT krb5. It is not a bug in the
Kerberos protocol.

[CVE-2007-4000]

The MIT krb5 Kerberos administration daemon (kadmind) can write data
through an uninitialized pointer. We know of no working exploit code
for this vulnerability, and do not believe that any exploit code for
this vulnerability is circulating.

This is a bug in the kadmind in MIT krb5. It is not a bug in the
Kerberos protocol.

IMPACT
======

[CVE-2007-3999] An unauthenticated remote user may be able to cause a
host running kadmind to execute arbitrary code.

[CVE-2007-4000] An authenticated user with "modify policy" privilege
may be able to cause a host running kadmind to execute arbitrary code.

Successful exploitation of either vulnerability can compromise the
Kerberos key database and host security on the KDC host. (kadmind
typically runs as root.) Unsuccessful exploitation attempts will
likely result in kadmind crashing.

Third-party applications calling the RPC library provided with MIT
krb5 may be vulnerable to CVE-2007-3999.

AFFECTED SOFTWARE
=================

[CVE-2007-3999]

* kadmind in MIT releases krb5-1.4 through krb5-1.6.2

* third-party RPC server programs linked against the RPC library
included in MIT releases krb5-1.4 through krb5-1.6.2

* MIT releases prior to krb5-1.4 did not contain the vulnerable code

[CVE-2007-4000]

* kadmind in MIT releases krb5-1.5 through krb5-1.6.2

* MIT releases prior to krb5-1.5 did not contain the vulnerable code

FIXES
=====

* The patch for CVE-2007-3999 has been revised; the patch originally
released for svc_auth_gss.c allowed a 32-byte overflow. Depending
on the compilation environment and machine architecture, this may or
may not be a significant continued vulnerability. The new patch
below correctly checks the buffer length.

* The upcoming krb5-1.6.3 release, as well as the upcoming krb5-1.5.5
maintenance release, will contain fixes for this vulnerability.

Prior to that release you may apply the following patch. Note that
releases prior to krb5-1.5 will not need the svr_policy.c patch.

*** src/lib/kadm5/srv/svr_policy.c (revision 20254)
- --- src/lib/kadm5/srv/svr_policy.c (local)
***************
*** 211,218 ****
if((mask & KADM5_POLICY))
return KADM5_BAD_MASK;

! ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt);
! if( ret && (cnt==0) )
return KADM5_UNK_POLICY;

if ((mask & KADM5_PW_MAX_LIFE))
- --- 211,219 ----
if((mask & KADM5_POLICY))
return KADM5_BAD_MASK;

! if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
! return ret;
! if (cnt != 1)
return KADM5_UNK_POLICY;

if ((mask & KADM5_PW_MAX_LIFE))
*** src/lib/rpc/svc_auth_gss.c (revision 20474)
- --- src/lib/rpc/svc_auth_gss.c (local)
***************
*** 355,360 ****
- --- 355,369 ----
memset(rpchdr, 0, sizeof(rpchdr));

/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+ oa = &msg->rm_call.cb_cred;
+ if (oa->oa_length > MAX_AUTH_BYTES)
+ return (FALSE);
+
+ /* 8 XDR units from the IXDR macro calls. */
+ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+ RNDUP(oa->oa_length)))
+ return (FALSE);
+
buf = (int32_t *)(void *)rpchdr;
IXDR_PUT_LONG(buf, msg->rm_xid);
IXDR_PUT_ENUM(buf, msg->rm_direction);
***************
*** 362,368 ****
IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
- - oa = &msg->rm_call.cb_cred;
IXDR_PUT_ENUM(buf, oa->oa_flavor);
IXDR_PUT_LONG(buf, oa->oa_length);
if (oa->oa_length) {
- --- 371,376 ----

This patch is also available at

http://web.mit.edu/kerberos/advisories/2007-006-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2007-006-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2007-3999
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3999

CERT: VU#883632
http://www.kb.cert.org/vuls/id/883632

CVE: CVE-2007-4000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4000

CERT: VU#377544
http://www.kb.cert.org/vuls/id/377544

ACKNOWLEDGMENTS
===============

Thanks to Kevin Coffman (UMich), Will Fiveash (Sun), and Nico Williams
(Sun) for discovering the bug in the initial CVE-2007-3999 patch and
for help with developing the revised patch for CVE-2007-3999.

CVE-2007-3999 was discovered by Tenable Network Security and reported
to MIT Kerberos Team by the Zero Day Initiative (ZDI) of the
TippingPoint division of 3Com.

CVE-2007-4000 was discovered by Garrett Wollman of MIT CSAIL.

DETAILS
=======

[CVE-2007-3999]

The implementation of the RPCSEC_GSS authentication flavor copies
untrusted data having an inadequately-validated length into a buffer
on the stack. In the function svcauth_gss_validate() in
src/lib/rpc/svc_auth_gss.c, which authenticates the incoming RPC
message, a memcpy() invocation copies a number of bytes into the
128-byte stack buffer "rpchdr". The length provided to this memcpy()
invocation comes from the RPC header and may be maliciously chosen.
The invocation of xdr_callmsg(), which provides the decoded rpc_msg
structure used by svcauth_gss_validate(), ensures that the provided
length does not exceed MAX_AUTH_BYTES, which is 400, but destination
buffer is smaller than this size, and can be trivially overflowed.

The vulnerable code executes prior to the completion of authentication
of the RPC message, and therefore requires no authentication to
exploit.

Exploitation of stack buffer overflows is trivial on many platforms.

[CVE-2007-4000]

CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 7.1

Access Vector: Network
Access Complexity: High
Authentication: Single
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete

CVSSv2 Temporal Score: 5.6

Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed

The function kadm5_modify_policy_internal() in
src/lib/kadm5/srv/svr_policy.c, does not check return values from
krb5_db_get_policy() correctly. When the policy does not exist,
krb5_db_get_policy() returns zero but sets the count retrieved records
to zero without initializing the output pointer. Subsequent code in
kadm5_modify_policy_internal() can attempt to write data through this
pointer, causing memory corruption.

This vulnerability was not present in MIT releases prior to krb5-1.5.
In the krb5-1.5 release, changes related to the implementation of the
Database Abstraction Layer introduced this vulnerability.

REVISION HISTORY
================

2007-09-05 CVE-2007-3999 patch revised due to 32-byte overflow
2007-09-04 original release

Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRt8V06bDgE/zdoE9AQJAPAP/R+OdTSabTDNZVyF0N34KaP9NQMixEAI+
9b1uuUc0zIYrvKr+XQZJ3UkyNZ8j88OAYjQ2bdtgnkOCDibsClOhEWams+S6h+5I
Tdjl3sfY8zld9hoMXGGJFzo1LZ5LELZMJh/mJWSJgtCVgxcCE/WZ4+dBy3gXIvtC
npG5pu7L0H0=
=sbAz
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close