SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   kadmind (please use Kerberos) Vendors:   Royal Institute of Technology
(NetBSD Issues Fix) Heimdal Kerberos 'kadmind' Buffer Overflow Lets Remote Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1005460
SecurityTracker URL:  http://securitytracker.com/id/1005460
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 22 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.5.1
Description:   A buffer overflow vulnerability was reported in 'kadmind', the administrative access server for the Kerberos database in the Heimdal distribution. A remote user may be able to execute arbitrary code on the system with root level privileges.

It is reported that kadmind in Heimdal releases earlier than 0.5.1 has a buffer overflow in the kerberos version 4 compatibility code. If compiled with support for the Kerberos 4 kadmin protocol, kadmind is vulnerable.

A remote user can cause arbitrary code to be executed with root level privileges.

To determine if kadmind is vulnerable you can run:

# /usr/heimdal/libexec/kadmind --version
kadmind (Heimdal 0.5.1, KTH-KRB 1.2)
Copyright (c) 1999-2002 Kungliga Tekniska H gskolan
Send bug-reports to heimdal-bugs@pdc.kth.se

Non-vulnerable versions reportedly include Heimdal 0.5.1 and binaries that do *not* show a Kerberos 4 version string (KTH-KRB 1.2 in the example).

Impact:   A remote user can execute arbitrary code with root privileges to gain root access on the system.
Solution:   NetBSD has released a fix.

For NetBSD all releases (to disable kadmind if you cannot upgrade):

Check that you don't have kadmind in your /etc/inetd.conf.

# grep kadmind /etc/inetd.conf

If kadmind is enabled, disable it by commenting out its entry and reloading inetd:

# /etc/rc.d/inetd reload

Check that kadmind is not running as a service

# ps axlwww | grep kadmind

If kadmind is running, kill it:

# kill <process id of kadmind>

For NetBSD-current:

Systems running NetBSD-current dated from before 2002-Oct-22 should be upgraded to NetBSD-current dated 2002-Oct-22 or later. The fix is included in crypto/dist/heimdal/kadmin/version4.c, revision 1.2.

The following directory needs to be updated from the netbsd-current CVS branch (aka HEAD):
crypto/dist/heimdal/kadmin

To update from CVS, re-build, and re-install kadmind(8):
# cd src
# cvs update -d -P crypto/dist/heimdal
# cd libexec/kadmind
# make cleandir dependall
# make install

For NetBSD 1.6:

The following directory needs to be updated from the netbsd-1-6 CVS branch:
crypto/dist/heimdal/kadmin

To update from CVS, re-build, and re-install kadmind(8):

# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/heimdal/kadmin
# cd libexec/kadmind
# make cleandir dependall
# make install

For NetBSD 1.5:

The following directory needs to be updated from the netbsd-1-5 CVS branch:
crypto/dist/heimdal/kadmin

To update from CVS, re-build, and re-install kadmind(8):

# cd src
# cvs update -d -P -r netbsd-1-5 crypto/dist/heimdal/kadmin
# cd libexec/kadmind
# make cleandir dependall
# make install

Vendor URL:  www.pdc.kth.se/heimdal/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  1.6, 1.5.3, 1.5.2, 1.5.1, 1.5

Message History:   This archive entry is a follow-up to the message listed below.
Oct 22 2002 Heimdal Kerberos 'kadmind' Buffer Overflow Lets Remote Users Execute Arbitrary Code With Root Privileges



 Source Message Contents

Subject:  NetBSD Security Advisory 2002-026: Buffer overflow in kadmind daemon



-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-026
		 =================================

Topic:		Buffer overflow in kadmind daemon

Version:	NetBSD-current:	source prior to October 21 2002
		NetBSD-1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	not affected

Severity:	remote buffer overflow, resulting in root exploit

Fixed:		NetBSD-current:		October 22, 2002
		NetBSD-1.6 branch:	October 22, 2002
		NetBSD-1.5 branch:	October 22, 2002


Abstract
========

Kadmind is the server for administrative access to kerberos database,
and comes from the Heimdal Kerberos implementation used by NetBSD.  In
Heimdal releases earlier than 0.5.1 kadmind has a buffer overflow in
the kerberos version 4 compatibility code.

The kadmind daemon has never been enabled by default in NetBSD;
enabling it would require a change in /etc/inetd.conf.


Technical Details
=================

All versions prior to Heimdal 0.5.1 and 0.4enb1 are vulnerable.  NetBSD
1.5, 1.6, and -current (prior to October 21, 2002) ship with a vulnerable
version.

The problem is a buffer overflow in the kerberos version 4 compatibility layer
of kadmind.

See also: http://www.pdc.kth.se/heimdal/


Solutions and Workarounds
=========================

For most users this is not a vital service and is likely not enabled.
The only user of kadmin should be the kdc in a kerberos
realm.  Since the security of the kerberos server very important,
kadmind must be disabled until upgraded.

* NetBSD all releases:

        Check that you don't have kadmind in your /etc/inetd.conf.

        # grep kadmind /etc/inetd.conf

	If kadmind is enabled, disable it by commenting out its entry and
	reloading inetd:

	# /etc/rc.d/inetd reload

	Check that kadmind is not running as a service

	# ps axlwww | grep kadmind

	If kadmind is running, kill it:

	# kill <process id of kadmind>

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-Oct-22 should
	be upgraded to NetBSD-current dated 2002-Oct-22 or later.  The fix
	is included in crypto/dist/heimdal/kadmin/version4.c, revision 1.2.

	The following directory needs to be updated from the netbsd-current
	CVS branch (aka HEAD):
		crypto/dist/heimdal/kadmin

	To update from CVS, re-build, and re-install kadmind(8):
		# cd src
		# cvs update -d -P crypto/dist/heimdal
		# cd libexec/kadmind
		# make cleandir dependall
		# make install

* NetBSD 1.6:

	The following directory needs to be updated from the 
	netbsd-1-6 CVS branch:
		crypto/dist/heimdal/kadmin

	To update from CVS, re-build, and re-install kadmind(8):

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/heimdal/kadmin
		# cd libexec/kadmind
		# make cleandir dependall
		# make install

* NetBSD 1.5:

        The following directory needs to be updated from the
        netbsd-1-5 CVS branch:
                crypto/dist/heimdal/kadmin

        To update from CVS, re-build, and re-install kadmind(8):

                # cd src 
                # cvs update -d -P -r netbsd-1-5 crypto/dist/heimdal/kadmin
                # cd libexec/kadmind
                # make cleandir dependall 
                # make install

Thanks To
=========

Love Hoernquist-Astrand for the patch and notification and Johan Danielsson
for testing.


Revision History
================

	2002-Oct-21	Initial release

More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-026.txt,v 1.9 2002/10/21 20:34:06 groo Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPbRlij5Ru2/4N2IFAQGcgwQAn2bBxCdA6L0KhD5Pq0DzylaH8V5wHsq+
iguSkTTaj8cfIR/7Nz8LHUx16Sn9BzYM/YbGkHhp0NjasjIXxlL1ulriTly6Ynf1
SOLNqfHP4IlOITGvIYbFBV0EsIgQiRA4uW5jaQT15YJ/gWi8874wioHNWNRCuTm+
rmkN3qBFP04=
=2on8
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC