SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  Kerberos Vendors:  MIT
Kerberos telnetd Grants Access to Remote Users
SecurityTracker Alert ID:  1017848
SecurityTracker URL:  http://securitytracker.com/id?1017848
CVE Reference:  CVE-2007-0956   (Links to External Site)
Date:  Apr 3 2007
Impact:  Root access via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): krb5 prior to krb5-1.6.1
Description:  A vulnerability was reported in Kerberos in the telnet daemon. A remote user can bypass authentication and gain access to the target system.

A remote user can invoke telnet and set a specially crafted username that begins with '-e' to gain remote access to the specified username account on the target system.
Impact:  A remote user can gain access to the target system.
Solution:  The vendor has issued a patch, available at:

http://web.mit.edu/kerberos/advisories/2007-001-patch.txt

The pending krb5-1.6.1 release will include the fix.

The MIT advisory is available at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt (Links to External Site)
Cause:  Authentication error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 3 2007 (Red Hat Issues Fix) Kerberos telnetd Grants Access to Remote Users   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, 4, and 5.
Apr 3 2007 (IBM Issues Fix for AIX) Kerberos telnetd Grants Access to Remote Users
IBM has issued a fix for Network Authentication Service on IBM AIX 5.2 and 5.3.
Apr 4 2007 (Sun Describes Workaround) Kerberos telnetd Grants Access to Remote Users
Sun has described a workaround for the SEAM telnet daemon.


 Source Message Contents
Date:  Tue, 3 Apr 2007 14:38:18 -0400
Subject:  Kerberos

 
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
                 MIT krb5 Security Advisory 2007-001
 
Original release: 2007-04-03
Last update: 2007-04-03
 
Topic: telnetd allows login as arbitrary user
 
Severity: CRITICAL
 
CVE: CVE-2007-0956
CERT: VU#220816
 
SUMMARY
=======
 
The MIT krb5 telnet daemon (telnetd) allows unauthorized login as an
arbitrary user, when presented with a specially crafted username.
Exploitation of this vulnerability is trivial.
 
This is a vulnerability in an application program; it is not a bug in
the MIT krb5 libraries or in the Kerberos protocol.
 
IMPACT
======
 
A user can gain unauthorized access to any account (including root) on
a host running telnetd.  Whether the attacker needs to authenticate
depends on the configuration of telnetd on that host.
 
AFFECTED SOFTWARE
=================
 
* telnetd in all releases of MIT krb5, up to and including krb5-1.6
 
FIXES
=====
 
* The upcoming krb5-1.6.1 release will contain a fix for this
  vulnerability.
 
Prior to that release you may:
 
* disable telnetd
 
or
 
* apply the patch
 
  This patch is also available at
 
  http://web.mit.edu/kerberos/advisories/2007-001-patch.txt
 
  A PGP-signed patch is available at
 
  http://web.mit.edu/kerberos/advisories/2007-001-patch.txt.asc
 
*** src/appl/telnet/telnetd/state.c	(revision 19480)
- --- src/appl/telnet/telnetd/state.c	(local)
***************
*** 1665,1671 ****
  	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
  	    strcmp(varp, "NLSPATH") && /* locale stuff */
  	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! 	    strcmp(varp, "IFS")) {
  		return 1;
  	} else {
  		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\""
, varp);
- --- 1665,1672 ----
  	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
  	    strcmp(varp, "NLSPATH") && /* locale stuff */
  	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! 	    strcmp(varp, "IFS") &&
! 	    !strchr(varp, '-')) {
  		return 1;
  	} else {
  		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\""
, varp);
*** src/appl/telnet/telnetd/sys_term.c	(revision 19480)
- --- src/appl/telnet/telnetd/sys_term.c	(local)
***************
*** 1287,1292 ****
- --- 1287,1302 ----
  #endif
  #if	defined (AUTHENTICATION)
  	if (auth_level >= 0 && autologin == AUTH_VALID) {
+ 		if (name[0] == '-') {
+ 		    /* Authenticated and authorized to log in to an
+ 		       account starting with '-'?  Even if that
+ 		       unlikely case comes to pass, the current login
+ 		       program will not parse the resulting command
+ 		       line properly.  */
+ 		    syslog(LOG_ERR, "user name cannot start with '-'");
+ 		    fatal(net, "user name cannot start with '-'");
+ 		    exit(1);
+ 		}
  # if	!defined(NO_LOGIN_F)
  #if	defined(LOGIN_CAP_F)
  		argv = addarg(argv, "-F");
***************
*** 1377,1387 ****
  	} else
  #endif
  	if (getenv("USER")) {
! 		argv = addarg(argv, getenv("USER"));
  #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
  		{
  			register char **cpp;
  			for (cpp = environ; *cpp; cpp++)
  				argv = addarg(argv, *cpp);
  		}
  #endif
- --- 1387,1405 ----
  	} else
  #endif
  	if (getenv("USER")) {
! 		char *user = getenv("USER");
! 		if (user[0] == '-') {
! 		    /* "telnet -l-x ..." */
! 		    syslog(LOG_ERR, "user name cannot start with '-'");
! 		    fatal(net, "user name cannot start with '-'");
! 		    exit(1);
! 		}
! 		argv = addarg(argv, user);
  #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
  		{
  			register char **cpp;
  			for (cpp = environ; *cpp; cpp++)
+ 			    if ((*cpp)[0] != '-')
  				argv = addarg(argv, *cpp);
  		}
  #endif
 
REFERENCES
==========
 
This announcement is posted at:
 
  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
 
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
 
        http://web.mit.edu/kerberos/advisories/index.html
 
The main MIT Kerberos web page is at:
 
        http://web.mit.edu/kerberos/index.html
 
CVE: CVE-2007-0956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0956
 
CERT: VU#220816
http://www.kb.cert.org/vuls/id/220816
 
ACKNOWLEDGMENTS
===============
 
This vulnerability was found when attempting to confirm the absence of
a related vulnerability in the Solaris telnetd.  [CVE-2007-0882]
 
DETAILS
=======
 
The MIT krb5 telnet daemon fails to adequately check the provided
username.  A malformed username beginning with "-e" can be interpreted
as a command-line flag by the login.krb5 program, which is executed by
telnetd.  This causes login.krb5 to execute part of the BSD rlogin
protocol, where an arbitrary username may be injected, allowing login
as that user without a password or any further authentication.
 
If the telnet daemon is configured to only permit authenticated login,
then only authenticated users can exploit this vulnerability.
 
REVISION HISTORY
================
 
2007-04-03      original release
 
Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
 
iQCVAwUBRhKVRabDgE/zdoE9AQIzPAQAj8a7ShfHXVVMOPQhEyoN/Ydnalnfa2xE
cl7UXFSjmkexalD+rymL0upLFw7EVgnYrVazc+AUhDLt1AZmCl5Lj2+WAcl1QYPu
fEGm2SFaS4Eda6NRb6xZ4BeY8zfRWFN2G8Bb5krpGj+oEX/c3Xg8O4oUyiJBYBQi
TXhryamn6Yw=
=aE5C
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC