Heimdal k5admind Framing Length Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1010075|
SecurityTracker URL: http://securitytracker.com/id/1010075
(Links to External Site)
Date: May 6 2004
Denial of service via network, Execution of arbitrary code via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 0.6.1 and prior versions|
A heap overflow vulnerability was reported in Heimdal k5admind. A remote user can execute arbitrary code on the target system.|
Evgeny Demidov reported that there is a pre-authentication flaw in the k5admind(8) Kerberos Key Distribution Center (KDC) interface in the processing of Kerberos 4 compatibility administration requests. A remote user can supply a framing length value of less than two bytes to cause the target service to copy an arbitrary amount of data into a small buffer on the heap.
Only systems that have compiled k5admind with Kerberos 4 support are reported to be affected.
A remote user can execute arbitrary code on the target system with the privileges of the k5admind daemon.|
A fix is reportedly available [however, the vendor's web site has not yet posted a fixed stable version as of the time of this entry].|
The report recommends that, as a workaround, you disable Kerberos 4 support by runing kadmind with the '--no-kerberos4' option.
Vendor URL: www.pdc.kth.se/heimdal/ (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-Disclosure] Advisory: Heimdal kadmind version4 remote heap overflow|
Name: Heimdal kadmind version4 remote heap
Date: 6 May 2004
CVE candidate: CAN-2004-0434
Author: Evgeny Demidov
There exists a remote preauth heap overflow vulnerability
in Heimdal kadmind version4 support.
All versions of Heimdal including 0.6.1 are known to be
Its recommended to disable Kerberos 4 support by runing
kadmind with --no-kerberos4 option.
FreeBSD has issued an advisory:
Latest Heimdal snapshot also fixes the problem.
The vulnerability has been discovered several months ago
by Evgeny Demidov during Heimdal source code audit.
The details of the vulnerability has been made availabe to
VulnDisco clients two weeks ago.
Heimdal development team has been ready with a patch in a
couple of hours after initial contact.
Full-Disclosure - We believe in it.