Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability
26 Jun. 2007
Summary
Kerberos is "a network authentication protocol used in client-server systems to provide user authentication by using a ticket-based system. kadmind is the Kerberos administration server and is used to configure principals and policies on the Kerberos server, such as changing a password". Remote exploitation of a buffer overflow vulnerability within MIT Kerberos kadmind allows attackers to execute arbitrary code with the privileges of the running service, usually root.
Vulnerable Systems:
* MIT Kerberos version 1.5-21
* MIT Kerberos version version 1.5.3
* MIT Kerberos version 1.6.1
Immune Systems:
*
The vulnerability specifically exists within the code responsible for handling requests to rename principals. The rename_principal_2_svc function fails to properly bounds-check user-supplied data before copying it to a fixed-size stack buffer. The vulnerable code is shown below.
On lines 570 and 571 attacker supplied data is extracted from the kadmind server context. The buffer overflow occurs on line 575 when concatenating the source and destination principal names with the static text " to ".
Analysis:
Exploitation allows attackers to execute arbitrary code with the privileges of the running service, usually root.
Although the functionality where the vulnerability lies is designed to require administrator privileges, the problem actually occurs prior to credential verification. As a result, only a valid user session is required to exploit this vulnerability.
The kadmind server runs on the master Kerberos server, which holds the KDC principal and policy database. As such, a compromise of this server could lead to a compromise of multiple hosts that use the server for authentication.
It should be noted that while Fedora CORE 6 was used for testing, code execution is not possible as it has been compiled with the "FORTIFY_SOURCE" compiler flag.
