Kerberos Application Flaws in Evaluating setuid/seteuid Calls May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1016664
|
|
SecurityTracker URL: http://securitytracker.com/id?1016664
|
|
CVE Reference: CVE-2006-3083
, CVE-2006-3084
(Links to External Site)
|
Updated: Aug 17 2006
|
Original Entry Date: Aug 8 2006
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Modification of system information, Modification of user information, Root access via local system, User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): krb5-1.5 and prior krb5 versions
|
Description: A vulnerability was reported in some applications packaged with Kerberos. A local user may be able to obtain elevated privileges on the target system.
Certain application programs packaged in the MIT Kerberos 5 source distribution do not properly check the results of some setuid()
[CVE-2006-3083] and seteuid() [CVE-2006-3084] function calls. This may potentially allow a local user to obtain elevated privileges.
The
vulnerability occurs when the OS-specific implementation of setuid() or seteuid() fails due to resource exhaustion when changing
to an unprivileged user ID.
krshd, v4rcp, and ftpd, may allow a local user to gain root privileges. ksu may allow a local user
to fill a file wtih null bytes and then delete the file with root privileges.
The vendor indicates that the primary risk is to
Linux-based systems, but that no exploit code is known to exist [at the time of this entry].
Kerberos applications provided by
IBM for AIX are not vulnerable [but the applications provided by MIT are vulnerable on AIX].
The vendor credits Michael Calmer
and Marcus Meissner at SUSE with reporting this vulnerability.
|
Impact: A local user may be able to obtain elevated privileges on the target system.
|
Solution: The vendor has issued a patch for the krb5-1.5 release, available at:
http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt
The
vendor has issued a patch for the krb5-1.4.3 release, available at:
http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt
On
August 16, 2006, the vendor issued revised patches to correct an error in the original patches. The patch URLs have not changed.
The correct patch includes revision 18419 of 'clients/ksu/main.c'.
The vendor plans to issue fixed versions (krb5-1.5.1 and
krb5-1.4.4).
The MIT/Kerberos advisory is available at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt
|
Vendor URL: web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 8 Aug 2006 16:46:43 -0400
Subject: Kerberos vulnerabilities
|
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt
CVE-2006-3083
CVE-2006-3084
|
|
