new openSSH hole?

From: Markus Hallström (tubbs@freebsd.se)
Date: 04/20/02 

Date: Sat, 20 Apr 2002 00:43:33 +0200
From: Markus Hallström <tubbs@freebsd.se>
To: freebsd-security@freebsd.org

This just showed up on vuln-dev

On Fri, 2002-04-19 at 15:48, Marcell Fodor wrote:
>
>
> The bug affects servers offering Kerberos TGT
> and/or AFS Token passing. The vulnerability can lead
> to a root compromise.
>
> more : mantra.freeweb.hu
>
> Marcell Fodor
>
 
on http://mantra.freeweb.hu I get the following information

18.04.2002
security bug report:

OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow.
The bug affects servers offering Kerberos TGT and/or AFS Token passing.
The vulnerability can lead to a root compromise.

 bug details:
 
    radix.c
    GETSTRING macro in radix_to_creds function may cause buffer overflow.
    affected buffers:
    
        creds->service
        creds->instance
        creds->realm
        creds->pinst

    user can exploit the vulnerability by sending malformed request for:
    
        1. pass Kerberos IV TGT
        2. pass AFS Token

 For security considerations the CREDENTIALS structure is erased at the end of
 the auth_krb4_tgt function (auth_krb4.c). This makes code injection impossible at
 the first look, since the user supplied code is cleared.
 Well, it's all there! Check the temp[] buffer in radix_to_creds() function. This is
 the place, where the server decoded the ticket.
               
 It should be considered in further versions to clear the temp buffer prior
 returning from the radix_to_creds function.

 Is this known? should I worry? 

--
/Markus
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message