|
|
|
|
| |
A stack buffer overflow in the implementation of the Kerberos v4 compatibility administration daemon (kadmind4) in the MIT krb5 distribution can be exploited to gain unauthorized root access to a KDC host. The attacker does not need to authenticate to the daemon to successfully perform this attack. At least one exploit is known to exist in the wild.
The kadmind4 supplied with MIT krb5 is intended for use in sites that require compatibility with legacy administrative clients; sites that do not have this requirement are not likely to be running this daemon. |
| |
Credit:
The original advisory can be downloaded by going to:
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt
The information has been provided by Tom Yu.
|
| |
Vulnerable systems:
* All releases of MIT Kerberos 5, up to and including krb5-1.2.6.
* All Kerberos 4 implementations derived from MIT Kerberos 4, including Cygnus Network Security (CNS).
Impact:
A remote attacker can execute arbitrary code on the KDC with the privileges of the user running kadmind4 (usually root). This can lead to compromise of the Kerberos database.
Fixes:
Apply the following patch to src/kadmin/v4server/kadm_ser_wrap.c:
Index: kadm_ser_wrap.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kadmin/v4server/kadm_ser_wrap.c,v
retrieving revision 1.10.4.1
diff -c -r1.10.4.1 kadm_ser_wrap.c
*** kadm_ser_wrap.c 2000/05/23 21:44:50 1.10.4.1
- --- kadm_ser_wrap.c 2002/10/22 22:07:11
***************
*** 170,183 ****
u_char *retdat, *tmpdat;
int retval, retlen;
! if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
errpkt(dat, dat_len, KADM_BAD_VER);
return KADM_BAD_VER;
}
in_len = KADM_VERSIZE;
/* get the length */
! if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
return KADM_LENGTH_ERROR;
in_len += retc;
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);
- --- 170,190 ----
u_char *retdat, *tmpdat;
int retval, retlen;
! if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
! || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
errpkt(dat, dat_len, KADM_BAD_VER);
return KADM_BAD_VER;
}
in_len = KADM_VERSIZE;
/* get the length */
! if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
! || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
! || (*dat_len - r_len - KADM_VERSIZE -
! sizeof(krb5_ui_4) > sizeof(authent.dat))) {
! errpkt(dat, dat_len, KADM_LENGTH_ERROR);
return KADM_LENGTH_ERROR;
+ }
+
in_len += retc;
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);
The patch was generated against krb5-1.2.6; patches to other releases may apply with some offset.
This patch may also be found at: http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt
|
|
|
|
|
