SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   kadmind (please use Kerberos) Vendors:   Royal Institute of Technology
Heimdal k5admind Framing Length Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010075
SecurityTracker URL:  http://securitytracker.com/id/1010075
CVE Reference:   CVE-2004-0434   (Links to External Site)
Date:  May 6 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.6.1 and prior versions
Description:   A heap overflow vulnerability was reported in Heimdal k5admind. A remote user can execute arbitrary code on the target system.

Evgeny Demidov reported that there is a pre-authentication flaw in the k5admind(8) Kerberos Key Distribution Center (KDC) interface in the processing of Kerberos 4 compatibility administration requests. A remote user can supply a framing length value of less than two bytes to cause the target service to copy an arbitrary amount of data into a small buffer on the heap.

Only systems that have compiled k5admind with Kerberos 4 support are reported to be affected.

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the k5admind daemon.
Solution:   A fix is reportedly available [however, the vendor's web site has not yet posted a fixed stable version as of the time of this entry].

The report recommends that, as a workaround, you disable Kerberos 4 support by runing kadmind with the '--no-kerberos4' option.

Vendor URL:  www.pdc.kth.se/heimdal/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 6 2004 (FreeBSD Issues Fix) Heimdal k5admind Framing Length Buffer Overflow Lets Remote Users Execute Arbitrary Code
FreeBSD has released a fix.
May 19 2004 (Debian Issues Fix) Heimdal k5admind Framing Length Buffer Overflow Lets Remote Users Execute Arbitrary Code
Debian has released a fix.
May 27 2004 (Gentoo Issues Fix) Heimdal k5admind Framing Length Buffer Overflow Lets Remote Users Execute Arbitrary Code
Gentoo has released a fix.



 Source Message Contents

Subject:  [Full-Disclosure] Advisory: Heimdal kadmind version4 remote heap overflow



Name:          Heimdal kadmind version4 remote heap 
overflow
Date:          6 May 2004
CVE candidate: CAN-2004-0434
Author:        Evgeny Demidov

Description:

There exists a remote preauth heap overflow vulnerability 
in Heimdal kadmind version4 support.
All versions of Heimdal including 0.6.1 are known to be 
vulnerable.

Its recommended to disable Kerberos 4 support by runing 
kadmind with --no-kerberos4 option.

Fix:

FreeBSD has issued an advisory:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:09.kadmind.asc

Latest Heimdal snapshot also fixes the problem.

History:

The vulnerability has been discovered several months ago 
by Evgeny Demidov during Heimdal source code audit.

The details of the vulnerability has been made availabe to 
VulnDisco clients two weeks ago.

Thanks:

Heimdal development team has been ready with a patch in a 
couple of hours after initial contact.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC