[UNIX] Buffer Overflow in kadmind4

From: support@securiteam.com
Date: 10/24/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 24 Oct 2002 00:05:35 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Buffer Overflow in kadmind4
------------------------------------------------------------------------

SUMMARY

A stack buffer overflow in the implementation of the Kerberos v4
compatibility administration daemon (kadmind4) in the MIT krb5
distribution can be exploited to gain unauthorized root access to a KDC
host. The attacker does not need to authenticate to the daemon to
successfully perform this attack. At least one exploit is known to exist
in the wild.

The kadmind4 supplied with MIT krb5 is intended for use in sites that
require compatibility with legacy administrative clients; sites that do
not have this requirement are not likely to be running this daemon.

DETAILS

Vulnerable systems:
* All releases of MIT Kerberos 5, up to and including krb5-1.2.6.

* All Kerberos 4 implementations derived from MIT Kerberos 4, including
Cygnus Network Security (CNS).

Impact:
A remote attacker can execute arbitrary code on the KDC with the
privileges of the user running kadmind4 (usually root). This can lead to
compromise of the Kerberos database.

Fixes:
Apply the following patch to src/kadmin/v4server/kadm_ser_wrap.c:

Index: kadm_ser_wrap.c
 ===================================================================
RCS file: /cvs/krbdev/krb5/src/kadmin/v4server/kadm_ser_wrap.c,v
retrieving revision 1.10.4.1
diff -c -r1.10.4.1 kadm_ser_wrap.c
*** kadm_ser_wrap.c 2000/05/23 21:44:50 1.10.4.1
- --- kadm_ser_wrap.c 2002/10/22 22:07:11
***************
*** 170,183 ****
      u_char *retdat, *tmpdat;
      int retval, retlen;
  
! if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
  errpkt(dat, dat_len, KADM_BAD_VER);
  return KADM_BAD_VER;
      }
      in_len = KADM_VERSIZE;
      /* get the length */
! if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
  return KADM_LENGTH_ERROR;
      in_len += retc;
      authent.length = *dat_len - r_len - KADM_VERSIZE -
sizeof(krb5_ui_4);
      memcpy((char *)authent.dat, (char *)(*dat) + in_len,
authent.length);
- --- 170,190 ----
      u_char *retdat, *tmpdat;
      int retval, retlen;
  
! if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
! || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
  errpkt(dat, dat_len, KADM_BAD_VER);
  return KADM_BAD_VER;
      }
      in_len = KADM_VERSIZE;
      /* get the length */
! if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
! || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
! || (*dat_len - r_len - KADM_VERSIZE -
! sizeof(krb5_ui_4) > sizeof(authent.dat))) {
! errpkt(dat, dat_len, KADM_LENGTH_ERROR);
  return KADM_LENGTH_ERROR;
+ }
+
      in_len += retc;
      authent.length = *dat_len - r_len - KADM_VERSIZE -
sizeof(krb5_ui_4);
      memcpy((char *)authent.dat, (char *)(*dat) + in_len,
authent.length);

The patch was generated against krb5-1.2.6; patches to other releases may
apply with some offset.

This patch may also be found at:
<http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt>
http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 
<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt>
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt

The information has been provided by <mailto:tlyu@mit.edu> Tom Yu.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages