OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
|
|
SecurityTracker Alert ID: 1004115 |
|
SecurityTracker URL: http://securitytracker.com/id/1004115
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 19 2002
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Exploit Included: Yes
|
Version(s): 2.2.0 - 3.1.0
|
Description:
A buffer overflow vulnerability has been reported in OpenSSH server. A local user can trigger the overflow to gain root level operating system access.
It is reported that the flaw exists in OpenSSH's Kerberos Ticket Granting Ticket (TGT) and/or AFS Token passing. According to the report, the GETSTRING macro in the radix_to_creds() function in the 'radix.c' file contains unchecked buffer operations. The affected buffers are:
creds->service
creds->instance
creds->realm
creds->pinst
A local user can apparently send a specially crafted, malformed request to:
1. pass Kerberos IV TGT
2. pass AFS Token
Apparently, the code clears the CREDENTIALS structure end of the auth_krb4_tgt() function (in file 'auth_krb4.c') but fails to clear user-supplied contents from the temp[] buffer in the radix_to_creds() function. When the server decodes the Kerberos ticket, the overflow can be triggered to cause arbitrary code to be executed with root level privileges.
The author of the report has provided a URL for some demonstration exploit code:
http://www.freeweb.hu/mantra/04_2002/tgt-x86Linux.tar.gz
|
Impact:
A remote user can execute arbitrary code on the server with root level privleges.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.openssh.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Subject: OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable
|
The bug affects servers offering Kerberos TGT
and/or AFS Token passing. The vulnerability can lead
to a root compromise.
more : mantra.freeweb.hu
Marcell Fodor
---------------------
18.04.2002
security bug report:
OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow.
The bug affects servers offering Kerberos TGT and/or AFS Token passing.
The vulnerability can lead to a root compromise.
bug details:
radix.c
GETSTRING macro in radix_to_creds function may cause buffer overflow.
affected buffers:
creds->service
creds->instance
creds->realm
creds->pinst
user can exploit the vulnerability by sending malformed request for:
1. pass Kerberos IV TGT
2. pass AFS Token
For security considerations the CREDENTIALS structure is erased at the end of
the auth_krb4_tgt function (auth_krb4.c). This makes code injection impossible at
the first look, since the user supplied code is cleared.
Well, it's all there! Check the temp[] buffer in radix_to_creds() function. This is
the place, where the server decoded the ticket.
It should be considered in further versions to clear the temp buffer prior
returning from the radix_to_creds function.
---------------------
|
|
