Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kerberos kadmind Buffer Overflow in rename_principal_2_svc() Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1018295
|
|
SecurityTracker URL: http://securitytracker.com/id?1018295
|
|
CVE Reference: CVE-2007-2798
(Links to External Site)
|
Date: Jun 26 2007
|
Impact: Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 5-1.6.1 and prior versions
|
Description: A vulnerability was reported in the krb5 Kerberos administration daemon (kadmind). A remote authenticated user can execute arbitrary code on the target system.
A remote user can send specially crafted data to trigger a buffer overflow in the rename_principal_2_svc() function and execute arbitrary
code on the target system. The code will run with the privileges of the target service (typically root privileges).
Authentication
is required to exploit this vulnerability, but administrative privileges are not required.
The vendor was notified on May 15,
2007.
iDefense reported this vulnerability.
|
Impact: A remote user can execute arbitrary code on the target system.
|
Solution: The vendor has issued a patch, available at:
http://web.mit.edu/kerberos/advisories/2007-005-patch.txt
The patch requires MITKRB5-SA-2007-002
as a prerequisite and includes the MITKRB5-SA-2007-002. Note that the krb5-1.6.1 and krb5-1.5.3 releases already include the prerequisite
patch.
The fix will be included in the upcoming krb5-1.6.2 release and krb5-1.5.4 maintenance release.
The MIT advisory is
available at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt
|
Vendor URL: web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 26 Jun 2007 15:24:45 -0400
Subject: Kerberos kadmind
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5 Security Advisory 2007-005
Original release: 2007-06-26
Last update: 2007-06-26
Topic: kadmind vulnerable to buffer overflow
Severity: CRITICAL
CVE: CVE-2007-2798
CERT: VU#554257
SUMMARY
=======
The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a stack buffer overflow.
Exploitation of overflows of stack buffers is known to be simple. We
have received a proof-of-concept exploit which may invoke a shell, but
we believe that this exploit is not publicly circulated.
This is a bug in kadmind in MIT krb5. It is not a bug in the Kerberos
protocol.
IMPACT
======
An authenticated remote user may be able to cause a host running
kadmind to execute arbitrary code.
Successful exploitation can compromise the Kerberos key database and
host security on the KDC host. (kadmind typically runs as root.)
Unsuccessful exploitation attempts will likely result in kadmind
crashing.
AFFECTED SOFTWARE
=================
* kadmind from MIT releases up to and including krb5-1.6.1
FIXES
=====
* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4
maintenance release, will contain fixes for this vulnerability.
Prior to that release you may:
* apply the patch
This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite.
The krb5-1.6.1 and krb5-1.5.3 releases already contains the
prerequisite patch.
This patch is also available at
http://web.mit.edu/kerberos/advisories/2007-005-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc
*** src/kadmin/server/server_stubs.c (revision 20024)
- --- src/kadmin/server/server_stubs.c (local)
***************
*** 545,557 ****
static generic_ret ret;
char *prime_arg1,
*prime_arg2;
- - char prime_arg[BUFSIZ];
gss_buffer_desc client_name,
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
char *errmsg;
xdr_free(xdr_generic_ret, &ret);
- --- 545,558 ----
static generic_ret ret;
char *prime_arg1,
*prime_arg2;
gss_buffer_desc client_name,
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
char *errmsg;
+ size_t tlen1, tlen2, clen, slen;
+ char *tdots1, *tdots2, *cdots, *sdots;
xdr_free(xdr_generic_ret, &ret);
***************
*** 572,578 ****
ret.code = KADM5_BAD_PRINCIPAL;
goto exit_func;
}
! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
- --- 573,586 ----
ret.code = KADM5_BAD_PRINCIPAL;
goto exit_func;
}
! tlen1 = strlen(prime_arg1);
! trunc_name(&tlen1, &tdots1);
! tlen2 = strlen(prime_arg2);
! trunc_name(&tlen2, &tdots2);
! clen = client_name.length;
! trunc_name(&clen, &cdots);
! slen = service_name.length;
! trunc_name(&slen, &sdots);
ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
***************
*** 590,597 ****
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! log_unauth("kadm5_rename_principal", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
- --- 598,612 ----
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! krb5_klog_syslog(LOG_NOTICE,
! "Unauthorized request: kadm5_rename_principal, "
! "%.*s%s to %.*s%s, "
! "client=%.*s%s, service=%.*s%s, addr=%s",
! tlen1, prime_arg1, tdots1,
! tlen2, prime_arg2, tdots2,
! clen, client_name.value, cdots,
! slen, service_name.value, sdots,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
***************
*** 600,607 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! log_done("kadm5_rename_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg1);
- --- 615,629 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
! krb5_klog_syslog(LOG_NOTICE,
! "Request: kadm5_rename_principal, "
! "%.*s%s to %.*s%s, %s, "
! "client=%.*s%s, service=%.*s%s, addr=%s",
! tlen1, prime_arg1, tdots1,
! tlen2, prime_arg2, tdots2, errmsg,
! clen, client_name.value, cdots,
! slen, service_name.value, sdots,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
free(prime_arg1);
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVE: CVE-2007-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798
CERT: VU#554257
http://www.kb.cert.org/vuls/id/554257
ACKNOWLEDGMENTS
===============
We thank iDefense for the initial notification. iDefense credits an
anonymous discoverer.
DETAILS
=======
The kadmind code which performs the principal renaming operation
passes unchecked string arguments to a sprintf() call which has a
fixed-size stack buffer as its destination. These strings are the old
and new principal names passed to the rename operation. The attacker
needs to authenticate to kadmind to perform this attack, but no
administrative privileges are required because the vulnerable code
executes prior to privilege verification.
REVISION HISTORY
================
2007-06-26 original release
Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y
NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI
42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r
Xfd3cRNQogQ=
=JE8k
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
