[UNIX] Buffer Overflow in kadmind4

From: support@securiteam.com
Date: 10/24/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 24 Oct 2002 00:05:35 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Buffer Overflow in kadmind4
------------------------------------------------------------------------

SUMMARY

A stack buffer overflow in the implementation of the Kerberos v4
compatibility administration daemon (kadmind4) in the MIT krb5
distribution can be exploited to gain unauthorized root access to a KDC
host. The attacker does not need to authenticate to the daemon to
successfully perform this attack. At least one exploit is known to exist
in the wild.

The kadmind4 supplied with MIT krb5 is intended for use in sites that
require compatibility with legacy administrative clients; sites that do
not have this requirement are not likely to be running this daemon.

DETAILS

Vulnerable systems:
* All releases of MIT Kerberos 5, up to and including krb5-1.2.6.

* All Kerberos 4 implementations derived from MIT Kerberos 4, including
Cygnus Network Security (CNS).

Impact:
A remote attacker can execute arbitrary code on the KDC with the
privileges of the user running kadmind4 (usually root). This can lead to
compromise of the Kerberos database.

Fixes:
Apply the following patch to src/kadmin/v4server/kadm_ser_wrap.c:

Index: kadm_ser_wrap.c
 ===================================================================
RCS file: /cvs/krbdev/krb5/src/kadmin/v4server/kadm_ser_wrap.c,v
retrieving revision 1.10.4.1
diff -c -r1.10.4.1 kadm_ser_wrap.c
*** kadm_ser_wrap.c 2000/05/23 21:44:50 1.10.4.1
- --- kadm_ser_wrap.c 2002/10/22 22:07:11
***************
*** 170,183 ****
      u_char *retdat, *tmpdat;
      int retval, retlen;
  
! if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
  errpkt(dat, dat_len, KADM_BAD_VER);
  return KADM_BAD_VER;
      }
      in_len = KADM_VERSIZE;
      /* get the length */
! if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
  return KADM_LENGTH_ERROR;
      in_len += retc;
      authent.length = *dat_len - r_len - KADM_VERSIZE -
sizeof(krb5_ui_4);
      memcpy((char *)authent.dat, (char *)(*dat) + in_len,
authent.length);
- --- 170,190 ----
      u_char *retdat, *tmpdat;
      int retval, retlen;
  
! if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
! || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
  errpkt(dat, dat_len, KADM_BAD_VER);
  return KADM_BAD_VER;
      }
      in_len = KADM_VERSIZE;
      /* get the length */
! if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
! || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
! || (*dat_len - r_len - KADM_VERSIZE -
! sizeof(krb5_ui_4) > sizeof(authent.dat))) {
! errpkt(dat, dat_len, KADM_LENGTH_ERROR);
  return KADM_LENGTH_ERROR;
+ }
+
      in_len += retc;
      authent.length = *dat_len - r_len - KADM_VERSIZE -
sizeof(krb5_ui_4);
      memcpy((char *)authent.dat, (char *)(*dat) + in_len,
authent.length);

The patch was generated against krb5-1.2.6; patches to other releases may
apply with some offset.

This patch may also be found at:
<http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt>
http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt>
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt

The information has been provided by <mailto:tlyu@mit.edu> Tom Yu.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NEWS] Cisco VPN 3000 Kerberos Authentication Implementation Remote Code Execution And DoS
    ... Get your security news from a reliable source. ... over IPSec, and Cisco WebVPN ... Kerberos Key Distribution Center may be vulnerable to remote code ... The second vulnerability consists of an infinite loop in the Abstract ...
    (Securiteam)
  • Re: UserName and Kerberos tokens at the same time
    ... \par My client is a Windows application and I can se that the kerberos token is ... The kerberos Security token will try establish the security ... \par> Steven Cheng ... \par> Microsoft Online Support ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Using Kerberos enabled connections with Sybase
    ... I am attempting to connect to a 12.5 Sybase server using kerberos enabled connections. ... My isql and sqsh both correctly connect (sqsh needed a small fix to load the security). ...
    (perl.dbi.users)
  • Re: Security in Cubes and Dimension
    ... You may need to build application-level security logic into your IIS ... unless you can use Kerberos to pass UserID: ... Microsoft SQL Server 2000 Analysis Services Operations Guide ...
    (microsoft.public.sqlserver.olap)
  • Re: Really stupid question about z/OS HTTP server
    ... automagically logged on to their corresponding z/OS RACF id? ... IBM CICS RACF Security and Microsoft Windows Server 2003 Security ... kerberos was originally developed a MIT's Project Athena ...and then ... selecting RFC number brings up the corresponding summary in the lower ...
    (bit.listserv.ibm-main)