what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

kadmind Denial Of Service

kadmind Denial Of Service
Posted Apr 7, 2010
Site web.mit.edu

MIT krb5 Security Advisory 2010-003 - In previous MIT krb5 releases krb5-1.5 through krb5-1.6.3, the Kerberos administration daemon (kadmind) can crash due to referencing freed memory. A legitimate user can trigger this crash by using a newer version of the kadmin protocol than the server supports.

tags | advisory, protocol
advisories | CVE-2010-0629
SHA-256 | 52f15147f99a8b73ce1c76f66321a7b8f7baa3149d7fbbd12a0453ca1dd44b10

kadmind Denial Of Service

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2010-003

MIT krb5 Security Advisory 2010-003
Original release: 2010-04-06
Last update: 2010-04-06

Topic: denial of service in kadmind in older krb5 releases

CVE-2010-0629
denial of service in kadmind in older krb5 releases

CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 6.8

Access Vector: Network
Access Complexity: Low
Authentication: Single
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

CVSSv2 Temporal Score: 5.3

Exploitability: Proof-of-Concept
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

In previous MIT krb5 releases krb5-1.5 through krb5-1.6.3, the
Kerberos administration daemon (kadmind) can crash due to referencing
freed memory. A legitimate user can trigger this crash by using a
newer version of the kadmin protocol than the server supports.

This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol. This vulnerability is not
present in modern releases of MIT krb5.

IMPACT
======

An authenticated remote attacker could crash the Kerberos
administration daemon (kadmind), causing a denial of service.

AFFECTED SOFTWARE
=================

* kadmind in MIT releases krb5-1.5 through krb5-1.6.3.

FIXES
=====

* The krb5-1.7 release already contains a fix for this vulnerability.

* Apply the patch below. The corresponding SVN revision (r22427) in
our source tree contains additional use-after-free bugfixes; we
believe that it is impractical for an attacker to induce execution
of these sections of code.

Index: src/kadmin/server/server_stubs.c
===================================================================
- --- src/kadmin/server/server_stubs.c (revision 22426)
+++ src/kadmin/server/server_stubs.c (revision 22427)
@@ -1628,7 +1628,7 @@
}

if (ret.code != 0)
- - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
+ errmsg = krb5_get_error_message(NULL, ret.code);
else
errmsg = "success";



This patch is also available at

http://web.mit.edu/kerberos/advisories/2010-003-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2010-003-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

This bug has been public for a while at

http://krbdev.mit.edu/rt/Ticket/Display.html?id=5998

but the security consequence has not been previously widely known.
The security consequence was first made public in a limited context in
the Debian bug found at

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567052

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2010-0629
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0629

ACKNOWLEDGMENTS
===============

Thanks to Sol Jerome for reporting the kadmind crash to Debian.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

MIT krb5 bug #5998 contains the earliest description of this bug.
Debian bug #567052 (referenced above) contains the first public
indication of the security consequence of this bug. Under error
conditions, such as receiving an invalid kadmin API version number,
the kadmin RPC stub init_2_svc() attempts to call
krb5_get_error_message() on a krb5_context handle that is in a
previously-freed kadm5_server_handle_t object. This typically results
in a read operation on an invalid pointer, causing a crash and denial
of service. Releases prior to krb5-1.5 did not use extended error
information in this way, and therefore do not include the vulnerable
code.

The most likely cause of a crash is a legitimate user running a kadmin
client from the krb5-1.8 or newer release, which sends an API version
number not recognized by earlier releases.

REVISION HISTORY
================

2010-04-06 original release

Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAku7ebMACgkQSO8fWy4vZo6cZwCg+gPn5RIWuKBbdZi0NktOh+pC
SNMAnj3SeOel4cx5v9SprM1MRZG/ERCQ
=mKjF
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close