[UNIX] KRB5 TelnetD Buffer Overflows
From: support@securiteam.comDate: 08/02/01
- Next message: support@securiteam.com: "[NT] InterScan VirusWall Standard and CVP Edition are Unable to Detect SIRCAM (Patch Available)"
- Previous message: support@securiteam.com: "[UNIX] SuSE sdbsearch.cgi Security Weakness"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] KRB5 TelnetD Buffer Overflows Message-Id: <20010802195722.6481E13902@mail.der-keiler.de> Date: Thu, 2 Aug 2001 21:57:22 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
KRB5 TelnetD Buffer Overflows
------------------------------------------------------------------------
SUMMARY
Buffer overflows exist in the telnet daemon included with MIT krb5.
Exploits are believed to exist for various operating systems on at least
the i386 architecture.
DETAILS
Vulnerable systems:
* MIT Kerberos 5, all releases to date
Impact:
If telnetd is running, a remote user may gain unauthorized root access.
Fixes:
The recommended approach is to apply the appropriate patches and to
rebuild your telnetd. Patches for the krb5-1.2.2 release may be found at:
<http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt>
http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt
The associated detached PGP signature is at:
<http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt.asc>
http://web.mit.edu/kerberos/www/advisories/telnetd_122_patch.txt.asc
These patches might apply successfully to older releases with some amount
of fuzz.
Please note that if you are using GNU make to build your krb5 sources, the
build system may attempt to rebuild the configure script from the changed
configure.in. This may cause trouble if you do not have autoconf
installed properly. To prevent this, you should use the touch command or
some similar means to ensure that the file modification time on the
configure script is newer than that of the configure.in file.
If you are unable to patch your telnetd, you may should disable the telnet
service altogether.
This announcement and code patches related to it may be found on the MIT
Kerberos security advisory page at:
<http://web.mit.edu/kerberos/www/advisories/index.html>
http://web.mit.edu/kerberos/www/advisories/index.html
The main MIT Kerberos web page is at:
<http://web.mit.edu/kerberos/www/index.html>
http://web.mit.edu/kerberos/www/index.html
Details:
A buffer overflow bug was discovered in telnet daemons derived from BSD
source code. Since the telnet daemon in MIT krb5 uses code largely derived
originally from BSD sources, it too is vulnerable.
By carefully constructing a series of telnet options to send to a telnet
server, a remote attacker may exercise a bug relating to lack of bounds
checking, causing an overflow of a fixed-size buffer. This overflow may
possibly force the execution of malicious code.
It is not known how difficult this vulnerability is to exploit, since the
buffer is not on the stack. Some discussion seems to indicate that
exploits exist for the vulnerability that is believed to work against
various operating systems for i386-based machines. It is not known whether
these existing exploits have been successfully ported to other processors.
ADDITIONAL INFORMATION
The information has been provided by <mailto:tlyu@mit.edu> Tom Yu.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NT] InterScan VirusWall Standard and CVP Edition are Unable to Detect SIRCAM (Patch Available)"
- Previous message: support@securiteam.com: "[UNIX] SuSE sdbsearch.cgi Security Weakness"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
