Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2006-3084 to a friend New vulnerability? New tool? Tell us	CVE-2006-3084 Kerberos Multiple Local Privilege Escalation Vulnerabilities     Credit: The information has been provided by Tom Yu. The original article can be found at: http://web.mit.edu/kerberos/advisories/index.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2006-3084 Details Check for CVE-2006-3084 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * * The below-listed programs are vulnerable in all releases of MIT krb5, up to and including krb5-1.5. The krb5-1.5.1 and krb5-1.4.4 releases will contain fixes for these problems. Impact: Actual impact depends on implementation details within a specific operating system. Vulnerabilities result when the OS implementations of setuid() or seteuid() can fail due to resource exhaustion when changing to an unprivileged user ID. We believe that only unchecked calls to setuid(), and not calls to seteuid(), are vulnerable on Linux. On AIX, Kerberos applications provided by IBM are not vulnerable. If, in place of or in addition to IBM-provided Kerberos applications, MIT krb5 code is installed on an AIX system, the affected MIT krb5 applications are vulnerable to the setuid() issues listed in CVE-2006-3083. We believe that no other operating systems are affected. [CVE-2006-3083, VU#580124] The following vulnerabilities may result from unchecked calls to setuid(), and are believed to only exist on Linux and AIX: * Unchecked calls to setuid() in krshd may allow a local privilege escalation leading to execution of programs as root. * Unchecked calls to setuid() in the v4rcp may allow a local privilege escalation leading to reading, writing, or creating files as root. v4rcp is the remote end of a krb4-authenticated rcp operation, but may be executed directly by an attacker, as it is a setuid program. [CVE-2006-3084, VU#401660] The following vulnerabilities may result from unchecked calls to seteuid(). These vulnerabilities are not yet known to exist on any operating system: * Unchecked calls to seteuid() in ftpd may allow a local privilege escalation leading to reading, writing, or creating files as root. * Unchecked calls to seteuid() in the ksu program may allow a local privilege escalation resulting in filling a file with null bytes as root and then deleting it (the "kdestroy" operation). Fixes: * The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes for these vulnerabilities. * Disable krshd and ftpd, and remove the setuid bit from the ksu binary and the v4rcp binary. * For the krb5-1.5 release, apply the patch at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt A PGP-signed version of this patch is at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt.asc This patch was generated against the krb5-1.5 release, and may apply to earlier releases with some fuzz. The patch also updates some calls to other setuid-like system calls on less-common operating systems, though these calls are less likely to be vulnerable. * For the krb5-1.4.3 release, apply the patch at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt A PGP-signed version of this patch is at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt This patch was generated against the krb5-1.4.3 release, and may apply to earlier releases with some fuzz. The patch also updates some calls to other setuid-like system calls on less-common operating systems, though these calls are less likely to be vulnerable. CVE Information: CVE-2006-3083 CVE-2006-3084 CERT Information: VU#580124 VU#401660 Acknowledgements: Thanks to Michael Calmer and Marcus Meissner at SUSE for reporting this problem. Thanks to Shiva Persaud at IBM for information on AIX. Details: Typically, setuid(), seteuid(), and similar system calls cannot fail except in cases of inadequate privilege or system misconfiguration. Unlike other operating systems, Linux and AIX system calls which change the real user ID can fail if the change would cause the target user ID to exceed its quota of allowed processes. A local attacker may be able to exhaust a process quota in a way which artificially creates such a failure condition. This may result in privilege escalation when a program making an unchecked call to one of these system calls expects to continue execution with reduced privilege following the affected call, but instead continues to run as a privileged user. Specific places where various system calls are not checked include: appl/bsd/krcp.c: setreuid (uncompiled code), setuid (irrelevant because not installed setuid) appl/bsd/krshd.c: setuid appl/bsd/krsh.c: setuid (irrelevant because not installed setuid) appl/bsd/v4rcp.c: setuid appl/gssftp/ftpd/ftpd.c: seteuid client/ksu/main.c: seteuid lib/krb4/kuserok.c: seteuid (but likely irrelevant)  Comments on CVE-2006-3084:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®