[UNIX] Krb5_aname_to_localname Buffer Overflows
From: SecuriTeam (support_at_securiteam.com)
Date: 06/02/04
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 Jun 2004 10:45:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Krb5_aname_to_localname Buffer Overflows
------------------------------------------------------------------------
SUMMARY
The krb5_aname_to_localname() library function contains multiple buffer
overflows that could be exploited to gain unauthorized root access.
Exploitation of these flaws requires an unusual combination of factors,
including successful authentication to a vulnerable service and a
non-default configuration on the target service (See MITIGATING FACTORS
below).
DETAILS
Vulnerable Systems:
* All releases of MIT Kerberos 5, up to and including krb5-1.3.3
Affected services contained in these releases include the remote login
applications (e.g., ftp, rsh, rlogin, telnet), as well as ksu. Third-party
application servers using the affected functionality of the krb5 library
may be vulnerable.
These services are only vulnerable in non-default configurations.
Immune Systems:
* krb5 version 1.3.4 and newer
Impact:
A remote attacker can potentially execute arbitrary code on hosts running
vulnerable services.
Mitigating Factors:
Only configurations which enable the explicit mapping or rules-based
mapping functionality of krb5_aname_to_localname() are vulnerable. These
configurations are not the default.
If the explicit mapping functionality is enabled, an attacker must
authenticate using a principal name listed in the explicit mapping
list.
If the rules-based mapping functionality is enabled, an attacker must be
able to create arbitrary principal names either in the local Kerberos
realm or in a remote realm from which the local realm's services are
reachable by cross-realm authentication.
Fixes:
* If you are using the vulnerable functionality, consider disabling it
immediately. Complete disabling of any configuration of explicit mapping
or rules-based mapping should prevent exploitation.
* The upcoming krb5-1.3.4 release will contain a fix for this problem.
* Apply the following patch to src/lib/krb5/os/an_to_ln.c, and recompile
the affected libraries and applications.
Index: an_to_ln.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/os/an_to_ln.c,v
retrieving revision 5.39
diff -c -r5.39 an_to_ln.c
*** an_to_ln.c 2002/09/03 19:29:34 5.39
- --- an_to_ln.c 2004/05/14 19:39:21
***************
*** 270,278 ****
* If no regcomp() then just return the input string verbatim in the
output
* string.
*/
! static void
do_replacement(char *regexp, char *repl, int doall, char *in, char *out)
{
#if HAVE_REGCOMP
regex_t match_exp;
regmatch_t match_match;
- --- 270,283 ----
* If no regcomp() then just return the input string verbatim in the
output
* string.
*/
! #define use_bytes(x) \
! out_used += (x); \
! if (out_used > MAX_FORMAT_BUFFER) goto mem_err
!
! static int
do_replacement(char *regexp, char *repl, int doall, char *in, char *out)
{
+ size_t out_used = 0;
#if HAVE_REGCOMP
regex_t match_exp;
regmatch_t match_match;
***************
*** 287,303 ****
do {
if (!regexec(&match_exp, cp, 1, &match_match, 0)) {
if (match_match.rm_so) {
strncpy(op, cp, match_match.rm_so);
op += match_match.rm_so;
}
strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
op += strlen(op);
cp += match_match.rm_eo;
! if (!doall)
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 1;
}
else {
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 0;
}
- --- 292,313 ----
do {
if (!regexec(&match_exp, cp, 1, &match_match, 0)) {
if (match_match.rm_so) {
+ use_bytes(match_match.rm_so);
strncpy(op, cp, match_match.rm_so);
op += match_match.rm_so;
}
+ use_bytes(strlen(repl));
strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
op += strlen(op);
cp += match_match.rm_eo;
! if (!doall) {
! use_bytes(strlen(cp));
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
+ }
matched = 1;
}
else {
+ use_bytes(strlen(cp));
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 0;
}
***************
*** 322,338 ****
- --- 332,352 ----
sdispl = (size_t) (loc1 - cp);
edispl = (size_t) (loc2 - cp);
if (sdispl) {
+ use_bytes(sdispl);
strncpy(op, cp, sdispl);
op += sdispl;
}
+ use_bytes(strlen(repl));
strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
op += strlen(repl);
cp += edispl;
if (!doall)
+ use_bytes(strlen(cp));
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 1;
}
else {
+ use_bytes(strlen(cp));
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 0;
}
***************
*** 340,346 ****
- --- 354,368 ----
#else /* HAVE_REGEXP_H */
memcpy(out, in, MAX_FORMAT_BUFFER);
#endif /* HAVE_REGCOMP */
+ return 1;
+ mem_err:
+ #ifdef HAVE_REGCMP
+ regfree(&match_exp);
+ #endif
+ return 0;
+
}
+ #undef use_bytes
/*
* aname_replacer() - Perform the specified substitutions on the input
***************
*** 412,418 ****
/* Do the replacemenbt */
memset(out, '\0', MAX_FORMAT_BUFFER);
! do_replacement(rule, repl, doglobal, in, out);
free(rule);
free(repl);
- --- 434,445 ----
/* Do the replacemenbt */
memset(out, '\0', MAX_FORMAT_BUFFER);
! if (!do_replacement(rule, repl, doglobal, in, out)) {
! free(rule);
! free(repl);
! kret = KRB5_LNAME_NOTRANS;
! break;
! }
free(rule);
free(repl);
***************
*** 459,464 ****
- --- 486,492 ----
char *fprincname;
char *selstring = 0;
int num_comps, compind;
+ size_t selstring_used;
char *cout;
krb5_data *datap;
char *outstring;
***************
*** 479,484 ****
- --- 507,513 ----
*/
current = strchr(current, ':');
selstring = (char *) malloc(MAX_FORMAT_BUFFER);
+ selstring_used = 0;
if (current && selstring) {
current++;
cout = selstring;
***************
*** 497,502 ****
- --- 526,539 ----
aname,
compind-1))
) {
+ if ((datap->length < MAX_FORMAT_BUFFER)
+ && (selstring_used+datap->length
+ < MAX_FORMAT_BUFFER)) {
+ selstring_used += datap->length;
+ } else {
+ kret = ENOMEM;
+ goto errout;
+ }
strncpy(cout,
datap->data,
(unsigned) datap->length);
***************
*** 527,533 ****
else
kret = KRB5_CONFIG_BADFORMAT;
! if (kret)
free(selstring);
}
}
- --- 564,570 ----
else
kret = KRB5_CONFIG_BADFORMAT;
! errout: if (kret)
free(selstring);
}
}
***************
*** 643,649 ****
const char *hierarchy[5];
char **mapping_values;
int i, nvalid;
! char *cp;
char *typep, *argp;
unsigned int lnsize;
- --- 680,686 ----
const char *hierarchy[5];
char **mapping_values;
int i, nvalid;
! char *cp, *s;
char *typep, *argp;
unsigned int lnsize;
***************
*** 677,687 ****
/* Just use the last one. */
/* Trim the value. */
! cp = &mapping_values[nvalid-1]
! [strlen(mapping_values[nvalid-1])];
! while (isspace((int) (*cp))) cp--;
! cp++;
! *cp = '\0';
/* Copy out the value if there's enough room */
if (strlen(mapping_values[nvalid-1])+1 <= (size_t)
lnsize)
- --- 714,727 ----
/* Just use the last one. */
/* Trim the value. */
! s = mapping_values[nvalid-1];
! cp = s + strlen(s);
! while (cp > s) {
! cp--;
! if (!isspace((int)(*cp)))
! break;
! *cp = '\0';
! }
/* Copy out the value if there's enough room */
if (strlen(mapping_values[nvalid-1])+1 <= (size_t)
lnsize)
The patch was generated against krb5-1.3.3; it may apply, with some
offset, to other releases.
This patch may also be found at:
<http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt>
http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt
The associated detached PGP signature is at:
<http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt.asc>
http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt.asc
Details:
krb5_aname_to_localname() translates a Kerberos principal name to a local
account name, typically a UNIX username. In the file
src/lib/krb5/os/an_to_ln.c, the helper functions aname_replacer(),
do_replacement(), and rule_an_to_ln() do not perform adequate checks of
the lengths of strings which contain the name of the principal whose
authorization is being checked. This can result in the overflow of heap
buffers when an attacker authenticates using a sufficiently long principal
name.
In addition, the implementation of the explicit mapping functionality in
krb5_aname_to_localname() consistently writes a zero byte at a location
one byte past the end of a heap buffer when handling a principal name
matching an explicit mapping. Single-byte overflows of heap buffers are
known to be exploitable on some architectures. The vulnerability in the
explicit mapping functionality was fixed around December 2003 in the
development sources, but the fix was not propagated to the krb5-1.3.x
release branch.
ADDITIONAL INFORMATION
The information has been provided by <mailto:tlyu@mit.edu> Tom Yu.
Thanks to Christopher Nebergall for finding the single-byte overflow.
Thanks to Nico Williams for finding a vulnerability in the rules-based
mapping. Thanks to Matt Crawford for useful comments.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
