SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kfd Vendors:   Royal Institute of Technology
(NetBSD Recommends Removal of the Vulnerable Programs) Heimdal Kerberos 'kfd' Buffer Overflows May Let Remote Users Gain Root Access
SecurityTracker Alert ID:  1005230
SecurityTracker URL:  http://securitytracker.com/id/1005230
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 17 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.4 and prior versions
Description:   Buffer overflows were reported in the Kerberos 'kf' and 'kfd' ticket forwarding utilities (part of the Heimdal Kerberos distribution). A remote user could possibly trigger a buffer overflow to execute arbitrary code and gain root access on the system.

It is reported that use of these utilities is not recommended.

To determine which version of kfd is installed, run kfd --version, as shown below:

# /usr/heimdal/libexec/kfd --version
kfd (Heimdal 0.5, KTH-KRB 1.2)
Copyright (c) 1999-2002 Kungliga Tekniska H gskolan
Send bug-reports to heimdal-bugs@pdc.kth.se

Impact:   A remote user may be able to execute arbitrary code with root privileges to gain root access on the system.
Solution:   NetBSD recommends that you remove these programs. The NetBSD-current sources as of September 11, 2002 no longer contain these programs.

Note that sources for the 1.6 release (and branch) still inlcude these programs. Therefore, a "make build" will re-install vulnerable binaries into /usr/bin/kf and /usr/libexec/kfd. As noted in the 1.6 LAST_MINUTE release notes, please remove them after each "make build".

* NetBSD all releases:

Check that you don't have kfd in your /etc/inetd.conf.

% grep kfd /etc/inetd.conf

Remove these programs:

# rm /usr/bin/kf
# rm /usr/libexec/kfd
# rm /usr/share/man/cat1/kf.0
# rm /usr/share/man/cat8/kfd.0
# rm /usr/share/man/man1/kf.1
# rm /usr/share/man/man8/kfd.8

Vendor URL:  www.pdc.kth.se/heimdal/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  NetBSD 1.6 and prior versions

Message History:   This archive entry is a follow-up to the message listed below.
Sep 17 2002 Heimdal Kerberos 'kfd' Buffer Overflows May Let Remote Users Gain Root Access



 Source Message Contents

Subject:  NetBSD Security Advisory 2002-018: Multiple security isses with kfd daemon


-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-018
		 =================================

Topic:		Multiple security isses with kfd daemon

Version:	NetBSD-current:	source prior to September 10, 2002
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	not affected

Severity:	remote buffer overrun, possibly resulting in root exploit

Fixed:		NetBSD-current:		September 11, 2002
		NetBSD-1.6 branch:	not yet
		NetBSD-1.5 branch:	September 11, 2002


Abstract
========

Kf and kfd are used to forward Kerberos credentials in a stand-alone
fashion, and come from the Heimdal Kerberos implementation used by
NetBSD.  In Heimdal releases earlier than 0.5, these programs have
multiple security issues, including possible buffer overruns.

The kfd daemon has never been enabled by default in NetBSD; enabling
it would have required a port name to be added to /etc/services.


Technical Details
=================

The client sent information about user and files without integrity
protection, making it possible to overwrite any file the user had
access to. The server also passed some of this data to other functions
without checking that strings were zero terminated, possibly resulting
in root exploit.

All versions prior to Heimdal 0.5 are vulnerable.  You can tell which
version of kfd you have by running /usr/libexec/kfd --version.

See also: http://www.pdc.kth.se/heimdal/


Solutions and Workarounds
=========================

As this is not a vital service, and is very likely unused by most
installations, the straightforward solution is to remove these
programs. This has been done in NetBSD-current sources on September
11, 2002. Note that even after this time, systems may still have
binaries left behind from earlier builds.

Note that sources for the 1.6 release (and branch) still inlcude these
programs. Therefore, a "make build" will re-install vulnerable
binaries into /usr/bin/kf and /usr/libexec/kfd. As noted in the 1.6
LAST_MINUTE release notes, please remove them after each "make build".

* NetBSD all releases:

        Check that you don't have kfd in your /etc/inetd.conf.

        % grep kfd /etc/inetd.conf

        Remove these programs:

        # rm /usr/bin/kf
        # rm /usr/libexec/kfd
        # rm /usr/share/man/cat1/kf.0
        # rm /usr/share/man/cat8/kfd.0
        # rm /usr/share/man/man1/kf.1
        # rm /usr/share/man/man8/kfd.8


Thanks To
=========

joda@pdc.kth.se (Johan Danielsson)


Revision History
================

	2002-09-16	Initial release


More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-018.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-018.txt,v 1.9 2002/09/16 22:59:39 dan Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYZiaj5Ru2/4N2IFAQG3YQP6AxY5rsaUAgEIIQ3TVsLPbqplH4ARheS6
zvmwTOcoI4NnGVdvUL99FPf+hEJdHZyScEn9bRtEGgFUnbXCgovDu2G333/1S91Z
w36jokou/av+WdxJ7fVSbFqrA62cFy1s9fpoWubZ14j3isPzz74qtPtGnOI19oGh
WylKw/jKtps=
=8Fkt
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC