SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos Application Flaws in Evaluating setuid/seteuid Calls May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1016664
SecurityTracker URL:  http://securitytracker.com/id/1016664
CVE Reference:   CVE-2006-3083, CVE-2006-3084   (Links to External Site)
Updated:  Aug 17 2006
Original Entry Date:  Aug 8 2006
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Modification of system information, Modification of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): krb5-1.5 and prior krb5 versions
Description:   A vulnerability was reported in some applications packaged with Kerberos. A local user may be able to obtain elevated privileges on the target system.

Certain application programs packaged in the MIT Kerberos 5 source distribution do not properly check the results of some setuid() [CVE-2006-3083] and seteuid() [CVE-2006-3084] function calls. This may potentially allow a local user to obtain elevated privileges.

The vulnerability occurs when the OS-specific implementation of setuid() or seteuid() fails due to resource exhaustion when changing to an unprivileged user ID.

krshd, v4rcp, and ftpd, may allow a local user to gain root privileges. ksu may allow a local user to fill a file wtih null bytes and then delete the file with root privileges.

The vendor indicates that the primary risk is to Linux-based systems, but that no exploit code is known to exist [at the time of this entry].

Kerberos applications provided by IBM for AIX are not vulnerable [but the applications provided by MIT are vulnerable on AIX].

The vendor credits Michael Calmer and Marcus Meissner at SUSE with reporting this vulnerability.

Impact:   A local user may be able to obtain elevated privileges on the target system.
Solution:   The vendor has issued a patch for the krb5-1.5 release, available at:

http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt

The vendor has issued a patch for the krb5-1.4.3 release, available at:

http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt

On August 16, 2006, the vendor issued revised patches to correct an error in the original patches. The patch URLs have not changed. The correct patch includes revision 18419 of 'clients/ksu/main.c'.

The vendor plans to issue fixed versions (krb5-1.5.1 and krb5-1.4.4).

The MIT/Kerberos advisory is available at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt

Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 8 2006 (Red Hat Issues Fix) Kerberos Application Flaws in Evaluating setuid/seteuid Calls May Let Local Users Gain Elevated Privileges
Red Hat has released a fix for Red Hat Enterprise Linux 4.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC