SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSH Vendors:   OpenSSH.org
OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
SecurityTracker Alert ID:  1004115
SecurityTracker URL:  http://securitytracker.com/id/1004115
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 19 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): 2.2.0 - 3.1.0
Description:   A buffer overflow vulnerability has been reported in OpenSSH server. A local user can trigger the overflow to gain root level operating system access.

It is reported that the flaw exists in OpenSSH's Kerberos Ticket Granting Ticket (TGT) and/or AFS Token passing. According to the report, the GETSTRING macro in the radix_to_creds() function in the 'radix.c' file contains unchecked buffer operations. The affected buffers are:

creds->service
creds->instance
creds->realm
creds->pinst

A local user can apparently send a specially crafted, malformed request to:

1. pass Kerberos IV TGT
2. pass AFS Token

Apparently, the code clears the CREDENTIALS structure end of the auth_krb4_tgt() function (in file 'auth_krb4.c') but fails to clear user-supplied contents from the temp[] buffer in the radix_to_creds() function. When the server decodes the Kerberos ticket, the overflow can be triggered to cause arbitrary code to be executed with root level privileges.

The author of the report has provided a URL for some demonstration exploit code:

http://www.freeweb.hu/mantra/04_2002/tgt-x86Linux.tar.gz

Impact:   A remote user can execute arbitrary code on the server with root level privleges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.openssh.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local and Remote Users Execute Arbitrary Code With Root Level Permissions
The vendor has issued a fix and reported that remote access is also possible.
(OpenBSD Issues Patch) Re: OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
A patch is available for OpenBSD.
(OpenBSD Issues Fix for OpenBSD 2.9 and 3.1) Re: OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
The vendor has issued a fix for OpenBSD 2.9 and 3.1 (3.0 was mentioned in a previous alert).
(Openbsd Issues Fix for 3.x) OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
The vendor has released a fix.
(Trustix Issues Fix) OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
The vendor has released a fix for Trustix Secure Linux.
(Caldera Issues Fix for OpenLinux) OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
The vendor has released a fix.



 Source Message Contents

Subject:  OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable




The bug affects servers offering Kerberos TGT 
and/or AFS Token passing. The vulnerability can lead 
to a root compromise.

more : mantra.freeweb.hu

Marcell Fodor


---------------------

18.04.2002
security bug report:


OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow.
The bug affects servers offering Kerberos TGT and/or AFS Token passing.
The vulnerability can lead to a root compromise.

 bug details:
 
    radix.c
    GETSTRING macro in radix_to_creds function may cause buffer overflow.
    affected buffers:
    
        creds->service
        creds->instance
        creds->realm
        creds->pinst

    user can exploit the vulnerability by sending malformed request for:
    
        1. pass Kerberos IV TGT
        2. pass AFS Token


 For security considerations the CREDENTIALS structure is erased at the end of
 the auth_krb4_tgt function (auth_krb4.c). This makes code injection impossible at
 the first look, since the user supplied code is cleared.
 Well, it's all there! Check the temp[] buffer in radix_to_creds() function. This is
 the place, where the server decoded the ticket.
               
 It should be considered in further versions to clear the temp buffer prior
 returning from the radix_to_creds function.

---------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC