SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  Kerberos Vendors:  MIT
Kerberos krb5_recvauth() Double-Free Error May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014461
SecurityTracker URL:  http://securitytracker.com/id?1014461
CVE Reference:  CVE-2005-1689   (Links to External Site)
Updated:  Jun 1 2006
Original Entry Date:  Jul 12 2005
Impact:  Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): krb5-1.4.1 and prior versions
Description:  A double-free memory vulnerability was reported in Kerberos in the krb5_recvauth() function. A remote user may be able to execute arbitrary code.

A remote user can create certain error conditions to cause the krb5_recvauth() function to free memory that has been previously freed. Arbitrary code may be executed.

If the target system is a Kerberos Key Distribution Center (KDC) host, then the entire Kerberos realm may be compromised.

The 'kpropd', 'klogind', and 'krshd' applications are affected.

The vulnerability resides in 'krb/recvauth.c'.

The vendor credits Magnus Hagander with reporting this vulnerability.
Impact:  A remote user may be able to execute arbitrary code.
Solution:  The vendor is releasing a fixed version (krb5-1.4.2), available at:

http://web.mit.edu/kerberos/index.html

Also, the following patch is available:
Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt (Links to External Site)
Cause:  State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 13 2005 (Sun Issues Fix) Kerberos krb5_recvauth() Double-Free Error May Let Remote Users Execute Arbitrary Code
Sun has issued a fix.
Aug 16 2005 (Apple Issues Fix) Kerberos krb5_recvauth() Double-Free Error May Let Remote Users Execute Arbitrary Code   (Apple Product Security <product-security@apple.com>)
Apple has issued a fix for Mac OS X 10.4.2.
Sep 22 2006 (HP Issues Fix for HP-UX) Kerberos krb5_recvauth() Double-Free Error May Let Remote Users Execute Arbitrary Code
HP has issued a fix for HP-UX 11.00, 11.11, and 11.23.


 Source Message Contents
Date:  Tue, 12 Jul 2005 14:39:04 -0400
Subject:  [none]

 
 
-----BEGIN PGP SIGNED MESSAGE-----
 
                 MIT krb5 Security Advisory 2005-003
 
Original release: 2005-07-12
 
Topic: double-free in krb5_recvauth
 
Severity: CRITICAL
 
SUMMARY
=======
 
The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689, VU#623332]
 
IMPACT
======
 
An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.
 
AFFECTED SOFTWARE
=================
 
* The kpropd daemon in all releases of MIT krb5, up to and including
  krb5-1.4.1, is vulnerable.
 
* The klogind and krshd remote-login daemons in all releases of MIT
  krb5, up to and including krb5-1.4.1, is vulnerable.
 
* Third-party application programs which call krb5-recvauth() are also
  vulnerable.
 
FIXES
=====
 
* The upcoming krb5-1.4.2 release will have a fix for this
  vulnerability.
 
* Apply the following patch.  This patch was generated against the
  krb5-1.4.1 release.  It may apply, with some offset, to earlier
  releases.
 
  The patch may also be found at:
 
  http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt
 
  The associated detached PGP signature is at:
 
  http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc
 
Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c	3 Sep 2002 01:13:47 -0000	5.38
- --- lib/krb5/krb/recvauth.c	23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
  	    if ((retval = krb5_read_message(context, fd, &inbuf)))
  		return(retval);
  	    if (strcmp(inbuf.data, sendauth_version)) {
- - 		krb5_xfree(inbuf.data);
  		problem = KRB5_SENDAUTH_BADAUTHVERS;
  	    }
  	    krb5_xfree(inbuf.data);
- --- 76,81 ----
***************
*** 90,96 ****
  	if ((retval = krb5_read_message(context, fd, &inbuf)))
  		return(retval);
  	if (appl_version && strcmp(inbuf.data, appl_version)) {
- - 		krb5_xfree(inbuf.data);
  		if (!problem)
  			problem = KRB5_SENDAUTH_BADAPPLVERS;
  	}
- --- 89,94 ----
 
REFERENCES
==========
 
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
 
        http://web.mit.edu/kerberos/advisories/index.html
 
The main MIT Kerberos web page is at:
 
        http://web.mit.edu/kerberos/index.html
 
CVE: CAN-2005-1689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689
 
CERT: VU#623332
http://www.kb.cert.org/vuls/id/623332
 
ACKNOWLEDGMENTS
===============
 
Thanks to Magnus Hagander for reporting this vulnerability.
 
DETAILS
=======
 
The helper function revcauth_common() in lib/krb5/krb/recvauth.c has
two locations which call krb5_read_message(), followed by an
unconditional krb5_xfree() of the buffer allocated by
krb5_read_message().  In the cases where the sendauth version string
or the application version string do not match the expected value,
recvauth_common() performs a krb5_xfree() on the buffer allocated by
krb5_read_message() preceding the subsequent unconditional call to
krb5_xfree() on the same buffer.
 
Since the code paths which call krb5_xfree() twice do so with almost
no intervening code, exploitation of this vulnerability may be more
difficult than exploitation of other double-free vulnerabilities.  No
detailed analysis has been performed on the ease of exploitation.
 
REVISION HISTORY
================
 
2005-05-12      original release
 
Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)
 
iQCVAwUBQtMbD6bDgE/zdoE9AQGmhQP+MYnmuw4+J3yIcQbS3chjZXVLHebTJJtN
jM5+cMBDQfYdpuoQER1Bbaf+7Ky1BoyX2zHfANzdDAiSFRykbFqEqgvdw9jqEFmx
ela1UtOhV5H80BZAzmGV+dVIqGPpWH0f4ArRe18Pbz2wZE0Vadq9VkBTJwHI23En
K3a9oiHA/XM=
=ZS63
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC