Kerberos kadmin/KDC Stack Overflow in krb5_klog_syslog() Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID: 1017849|
SecurityTracker URL: http://securitytracker.com/id/1017849
(Links to External Site)
Date: Apr 3 2007
Execution of arbitrary code via network, Root access via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): krb5 prior to krb5-1.6.1|
A vulnerability was reported in Kerberos in the administration daemon and the KDC. A remote authenticated user can execute arbitrary code on the target system.|
A remote authenticated user can send specially crafted data to trigger a stack overflow in the krb5_klog_syslog() function and execute arbitrary code on the target system. The code will run with the privileges of the target service, which typically runs with root privileges. This can compromise the Kerberos key database.
The vulnerability resides in the kadm5 library. As a result, third party applications that use the library may be affected.
The vendor credits iDefense with reporting this vulnerability.
A remote authenticated user can execute arbitrary code on the target system, typically with root level privileges.|
The vendor has issued a patch, available at:|
The pending krb5-1.6.1 release will include this fix.
The MIT advisory is available at:
Vendor URL: web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt (Links to External Site)
Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Tue, 3 Apr 2007 14:48:22 -0400|
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5 Security Advisory 2007-002
Original release: 2007-04-03
Last update: 2007-04-03
Topic: KDC, kadmind stack overflow in krb5_klog_syslog
The library function krb5_klog_syslog() can write past the end of a
stack buffer. The Kerberos administration daemon (kadmind) as well as
the KDC, are vulnerable. Exploitation of this vulnerability is
This is a vulnerability in the the kadm5 library, which is used by the
KDC and kadmind, and possibly by some third-party applications. It is
not a bug in the MIT krb5 protocol libraries or in the Kerberos
An authenticated user may be able to cause a host running kadmind to
execute arbitrary code.
An authenticated user may be able to cause a KDC host to execute
arbitrary code. Also, a user controlling a Kerberos realm sharing a
key with the target realm may be able to cause a KDC host to execute
Successful exploitation can compromise the Kerberos key database and
host security on the host running these programs. (kadmind and the
KDC typically run as root.) Unsuccessful exploitation attempts will
likely result in the affected program crashing.
Third-party applications which call krb5_klog_syslog() may also be
* MIT krb5 releases through krb5-1.6
* The upcoming krb5-1.6.1 release will contain a fix for this
Prior to that release you may:
* apply the patch
The patch is available at
A PGP-signed patch is available at
Systems which definitely provide vsnprintf() may not need the entire
patch; see "DETAILS".
Please note that releases prior to krb5-1.5 will require additional
changes to the configure script src/lib/kadm5/configure in order to
correctly detect the presence of vsnprintf(). krb5-1.5 and later
releases already check for vsnprintf() in the top-level configure
script, and do not have a separate src/lib/kadm5/configure script.
This announcement is posted at:
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
The main MIT Kerberos web page is at:
We thank iDefense Labs for notifying us of this vulnerability.
iDefense credits an anonymous discoverer.
krb5_klog_syslog() uses vsprintf() to format text into a fixed-length
stack buffer. Format specifiers such as "%s" used in calls to
krb5_klog_syslog() may allow formatting of strings of sufficient
length to overwrite memory past the end of the stack buffer.
Certain strings received from the client by the kadmin daemon are not
truncated prior to logging. Among these strings is the target
principal for the kadmin operation.
The KDC truncates most client-originated strings prior to logging.
One sort of string which is not truncated is a transited-realms
string. A malicious KDC sharing a key with the target realm may issue
tickets with specially-crafted transited-realms strings to exploit
this vulnerability. There are other places where an authenticated
user may cause the KDC to log a string which triggers the
On a system where vsnprintf() is confirmed to be available, the
patches to files other than src/lib/kadm5/logger.c may not be
necessary to prevent a buffer overflow; these patches are still useful
to prevent malicious users from causing vsnprintf() to obliterate
useful log information by means of truncation.
2007-04-03 original release
Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
-----END PGP SIGNATURE-----