CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon

From: CERT Advisory (cert-advisory@cert.org)
Date: 10/25/02 

Date: Fri, 25 Oct 2002 12:51:06 -0400
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon

   Original issue date: October 25, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * MIT Kerberos version 4 and version 5 up to and including
       krb5-1.2.6
     * KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version
       0.5.1
     * Other Kerberos implementations derived from vulnerable MIT or KTH
       code

Overview

   Multiple Kerberos distributions contain a remotely exploitable buffer
   overflow in the Kerberos administration daemon. A remote attacker
   could exploit this vulnerability to gain root privileges on a
   vulnerable system.

   The CERT/CC has received reports that indicate that this vulnerability
   is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002
   notes that an exploit is circulating.

   We strongly encourage sites that use vulnerable Kerberos distributions
   to verify the integrity of their systems and apply patches or upgrade
   as appropriate.

I. Description

   Kerberos is a widely used network protocol that uses strong
   cryptography to authenticate clients and servers. The Kerberos
   administration daemon (typically called kadmind) handles password
   change and other requests to modify the Kerberos database. The daemon
   runs on the master Key Distribution Center (KDC) server of a Kerberos
   realm.

   The code that provides legacy support for the Kerberos 4
   administration protocol contains a remotely exploitable buffer
   overflow. The vulnerable code does not adequately validate data read
   from a network request. This data is subsequently used as an argument
   to a memcpy() call, which can overflow a buffer allocated on the
   stack. An attacker does not have to authenticate in order to exploit
   this vulnerability, and the Kerberos administration daemon runs with
   root privileges.

   Both Massachusetts Institute of Technology (MIT) and Kungl Tekniska
   Högskolan (KTH) Kerberos are affected, as well as operating systems,
   applications, and other Kerberos implementations that use vulnerable
   code derived from either the MIT or KTH distributions. In MIT Kerberos
   5, the Kerberos 4 administration daemon is implemented in kadmind4. In
   KTH Kerberos 4 (eBones), the Kerberos administration daemon is
   implemented in kadmind. KTH Kerberos 5 (Heimdal) also implements the
   daemon in kadmind; however, the Heimdal daemon is only affected if
   compiled with Kerberos 4 support. Since the vulnerable Kerberos
   administration daemon is included in the MIT Kerberos 5 and KTH
   Heimdal distributions, both Kerberos 4 sites and Kerberos 5 sites that
   enable support for the Kerberos 4 administration protocol are
   affected.

   Further information about this vulnerability may be found in
   VU#875073.

   MIT has released an advisory that contains information about this
   vulnerability:

     http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm
     4.txt

   The KTH eBones and Heimdal web sites also contain information about
   this vulnerability:

     KTH eBones
     http://www.pdc.kth.se/kth-krb/

     KTH Heimdal
     http://www.pdc.kth.se/kth-krb/

   In addition to resolving the vulnerability described in VU#875073,
   version 0.51 of KTH Heimdal contains other fixes related to the KDC.
   See the ChangeLog for more information:

     ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.5-0.5.1.diff.gz

   This vulnerability has been assigned CAN-2002-1235 by the Common
   Vulnerabilities and Exposures (CVE) group.

II. Impact

   An unauthenticated, remote attacker could execute arbitrary code with
   root privileges. If an attacker is able to gain control of a master
   KDC, the integrity of the entire Kerberos realm is compromised,
   including user and host identities and other systems that accept
   Kerberos authentication.

III. Solution

Apply a patch or upgrade

   Apply the appropriate patch or upgrade as specified by your vendor.
   See Appendix A below and the Systems Affected section of VU#875073 for
   specific information.

Disable vulnerable service

   Disable support for the Kerberos 4 administration protocol if it is
   not needed. In MIT Kerberos 5, this can be achieved by disabling
   kadmind4. For information about disabling all Kerberos 4 support in
   MIT Kerberos 5 at compile time, see

     http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.htm
     l#SEC24

   In KTH Heimdal, it is necessary to recompile kadmind in order to
   disable support for the Kerberos 4 administration protocol. For
   information about disabling all Kerberos 4 support in KTH Heimdal at
   compile time, see

     http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Install
     ing

   This solution will prevent Kerberos 4 administrative clients from
   accessing the Kerberos database. It will also prevent users with
   Kerberos 4 clients from changing their passwords. In general, the
   CERT/CC recommends disabling any service that is not explicitly
   required.

Block or restrict access

   Block access to the Kerberos administration service from untrusted
   networks such as the Internet. Furthermore, only allow access to the
   service from trusted administrative hosts. By default, the Kerberos 4
   administration daemon listens on 751/tcp and 751/udp, and the Kerberos
   5 administration daemon listens on 749/tcp and 749/udp. It may be
   necessary to block access to the Kerberos 5 administration service if
   the daemon also supports the Kerberos 4 administration protocol. This
   workaround will prevent administrative connections and password change
   requests from blocked networks. Note that this workaround will not
   prevent exploitation, but it will limit the possible sources of
   attacks.

Appendix A. Vendor Information

   This appendix contains information provided by vendors. When vendors
   report new information, this section is updated and the changes are
   noted in the revision history. If a vendor is not listed below, we
   have not received their comments.

Apple Computer, Inc.

     The Kerberos Administration Daemon was included in Mac OS X 10.0,
     but removed in Mac OS X 10.1 and later.
     We encourage sites that use vulnerable Kerberos distributions to
     verify the integrity of their systems and apply patches or upgrade
     as appropriate.

Conectiva

     Our MIT Kerberos 5 packages in Conectiva Linux 8 do contain the
     vulnerable kadmind4 daemon, but it is not used by default nor is it
     installed as a service.

     Updated packages are being uploaded to our ftp server and should be
     available in a few hours at:

       ftp://atualizacoes.conectiva.com.br/8/

     The krb5-server-1.2.3-3U8_3cl.i386.rpm package contains a patched
     kadmind4 daemon. An announcement will be sent to our security
     mailing list a few hours after the upload is complete.

Debian

     Debian has released DSA-178:

       http://www.debian.org/security/2002/dsa-178

FreeBSD

     Both the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind
     v4 compatibility) daemons were vulnerable and have been corrected
     as of 23 October 2002. In addition, the heimdal and krb5 ports
     contained the same vulnerability and have been corrected as of 24
     October 2002. A Security Advisory is in progress.

KTH Kerberos

     The eBones and Heimdal web sites have information about this
     vulnerability:

       KTH eBones
       http://www.pdc.kth.se/kth-krb/
     
       KTH Heimdal
       http://www.pdc.kth.se/kth-krb/

Microsoft Corporation

     Microsoft's implementation of Kerberos is not affected by this
     vulnerability.

MIT Kerberos

     MIT has released MIT krb5 Security Advisory 2002-002:

       http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-ka
       dm4.txt

NetBSD

     NetBSD has released NetBSD-SA2002-026:

       ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002
       -026.txt.asc

OpenBSD

     OpenBSD has released Security Fix 016 for OpenBSD 3.1 and Security
     Fix 033 for OpenBSD 3.0.

       OpenBSD 3.1
       http://www.openbsd.org/errata31.html#kadmin

       OpenBSD 3.0
       http://www.openbsd.org/errata30.html#kadmin

Openwall

     Openwall GNU/*/Linux is not vulnerable. We don't provide Kerberos.

SuSE

     SuSE Linux 7.2 and later are shipped with Heimdal Kerberos
     included, but Kerberos 4 support is disabled in all releases.
     Therefore, SuSE Linux and SuSE Enterprise Linux are not affected by
     this bug. [See also: SuSE-SA:2002:034]

Wind River Systems (BSDI)

     No version of BSD/OS is vulnerable to this problem.

Appendix B. References

     * http://web.mit.edu/kerberos/www/
     * http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kad
       m4.txt
     * http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.ht
       ml#SEC24
     * http://www.pdc.kth.se/kth-krb/
     * http://www.pdc.kth.se/heimdal/
     * http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Instal
       ling

     _________________________________________________________________

   Authors: Art Manion and Jason A. Rafail.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2002-29.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site
   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History

   October 25, 2002: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPbluwGjtSoHZUTs5AQFRbgQApOEHrz7fSu37W8quhTH34fn4E3Jq/Aih
fTTy4b+hVwLujxlws+5lgug9vBd/QVrZEPT+g7xqBNtpsG+XBlAvUDIZJytKz6vN
rTZbMEyKc6PK92n4OJ1iRgG7WaZibEXaeScZSclEgY8yAkQmoVZUzvwzgZaFXXfQ
ihRKZyB9lbc=
=/bkR
-----END PGP SIGNATURE-----

Relevant Pages