Re: Buffer Overflow vulnerability in Kerberos protocol

From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 11/05/02 

From: "Joe Richards [MVP]" <humorexpress@hotmail.com>
Date: Tue, 5 Nov 2002 10:03:57 -0500

Here is the CIRT advisory- http://www.cert.org/advisories/CA-2000-06.html

Note the:

Microsoft Corporation
No Microsoft products are affected by this vulnerability.

CERT® Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos
Authenticated Services
Original release date: May 17, 2000
Last revised: Sep 14, 2001
Source: The MIT Kerberos Team, CERT/CC

A complete revision history is at the end of this file.

Systems Affected
  a.. Systems running services authenticated via Kerberos 4
  b.. Some systems running services authenticated via Kerberos 5
  c.. Systems running the Kerberized remote shell daemon (krshd)
  d.. Systems with the Kerberos 5 ksu utility installed
  e.. Systems with the Kerberos 5 v4rcp utility installed
Overview
The CERT Coordination Center has recently been notified of several buffer
overflow vulnerabilities in the Kerberos authentication software. The most
severe vulnerability allows remote intruders to gain root privileges on
systems running services using Kerberos authentication. If vulnerable
services are enabled on the Key Distribution Center (KDC) system, the entire
Kerberos domain may be compromised.

I. Description
There are at least four distinct vulnerabilities in various versions and
implementations of the Kerberos software. All of these vulnerabilities may
be exploited to obtain root privileges.

Buffer overflow in krb_rd_req() library function
This vulnerability is present in version 4 of Kerberos. It is also present
in version 5 (in the version 4 compatibility code). This vulnerability can
be exploited in services using version 4 or 5 when they perform version 4
authentication. This vulnerability may also be exploited locally via the
v4rcp setuid root program of Kerberos 5.

This vulnerability may be exploitable in version 4. This vulnerability is
exploitable in version 5 in conjunction with the krb425_conv_principal()
vulnerability, described below.

Buffer overflow in krb425_conv_principal() library function
This vulnerability is present in version 5's backward compatibility code.
This vulnerability is known to be exploitable in version 5 in conjunction
with an exploit of the krb_rd_req() vulnerability.

Buffer overflow in krshd
This vulnerability is only present in version 5. This vulnerability is not
related to the previous two vulnerabilities.

Buffer overflow in ksu
This vulnerability is only present in version 5, and is corrected in
krb5-1.1.1 and krb5-1.0.7-beta1. The ksu vulnerability is unrelated to the
other vulnerabilities.

The MIT Kerberos Team Advisory
The MIT Kerberos Team described these vulnerabilities in detail in an
advisory they recently issued. The text of this advisory is included below.

      | SUMMARY
      Serious buffer overrun vulnerabilities exist in many implementations
of Kerberos 4, including implementations included for backwards
compatibility in Kerberos 5 implementations. Other less serious buffer
overrun vulnerabilities have also been discovered. ALL KNOWN KERBEROS 4
IMPLEMENTATIONS derived from MIT sources are believed to be vulnerable.

      IMPACT
        a.. A remote user may gain unauthorized root access to a machine
running services authenticated with Kerberos 4.
        b.. A remote user may gain unauthorized root access to a machine
running krshd, regardless of whether the program is configured to accept
Kerberos 4 authentication.
        c.. A local user may gain unauthorized root access by exploiting
v4rcp or ksu.
      DETAILS
      The MIT Kerberos Team has been made aware of a security vulnerability
in the Kerberos 4 compatibility code contained within the MIT Kerberos 5
source distributions. This vulnerability consists of a buffer overrun in the
krb_rd_req() function, which is used by essentially all
Kerberos-authenticated services that use Kerberos 4 for authentication. It
is possible for an attacker to gain root access over the network by
exploiting this vulnerability.

      An exploit is known to exist for the Kerberized Berkeley remote shell
daemon (krshd) for at least the i386-Linux platform, and possibly others.
The extent of distribution of this exploit is unknown at this time.

      Other buffer overruns have been discovered as well, though with less
far-reaching impact.

      The existing exploit does not directly use the buffer overrun in
krb_rd_req(); rather, it uses the buffer that was overrun by krb_rd_req() to
exploit a second overrun in krb425_conv_principal(). The krb_rd_req() code
itself might not be exploitable once the overrun in krb425_conv_principal()
is repaired, though it is likely that some other method of exploit may be
found that does not require that an overrun exist in
krb425_conv_principal().

      VULNERABLE DISTRIBUTIONS AND PROGRAMS
      Source distributions which may contain vulnerable code include:

        a.. MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
        b.. MIT Kerberos 4 patch 10, and likely earlier releases as well
        c.. KerbNet (Cygnus implementation of Kerberos 5)
        d.. Cygnus Network Security (CNS -- Cygnus implementation of
Kerberos 4)
      Daemons or services that may call krb_rd_req() and are thus vulnerable
to remote exploit include:

        krshd
        klogind (if accepting Kerberos 4 authentication)
        telnetd (if accepting Kerberos 4 authentication)
        ftpd (if accepting Kerberos 4 authentication)
        rkinitd
        kpopd

      In addition, it is possible that the v4rcp program, which is usually
installed setuid to root, may be exploited by a local user to gain root
access by means of exploiting the krb_rd_req vulnerability.

      The ksu program in some MIT Kerberos 5 releases has a vulnerability
that may result in unauthorized local root access. This bug was fixed in
krb5-1.1.1, as well as in krb5-1.0.7-beta1. Release krb5-1.1, as well as
krb5-1.0.6 and earlier, are believed to be vulnerable.

      There is an unrelated buffer overrun in the krshd that is distributed
with at least the MIT Kerberos 5 source distributions. It is not known
whether an exploit exists for this buffer overrun. It is also not known
whether this buffer overrun is actually exploitable.

      WORKAROUNDS
      Certain daemons that are called from inetd may be safe from
exploitation if their command line invocation is modified to exclude the use
of Kerberos 4 for authentication. Please consult the manpages or other
documentation for your Kerberos distribution in order to determine the
correct command line for disabling Kerberos 4 authentication. Daemons for
which this approach may work include:

        krshd (*)
        klogind
        telnetd

      (*) The krshd program may still be vulnerable to remote attack if
Kerberos 4 authentication is disabled, due to the unrelated buffer overrun
mentioned above. It is best to disable the krshd program completely until a
patched version can be installed.

      The v4rcp program should have its setuid permission removed, since it
may be possible to perform a local exploit against it.

      The krb5 ksu program should have its setuid permission removed, if it
was not compiled from krb5-1.1.1, krb5-1.0.7-beta1, or later code. Merely
replacing the ksu binary with one compiled from krb5-1.1.1 or
krb5-1.0.7-beta1 should be safe, provided that it is not compiled with
shared libraries (the vulnerability is related to some library bugs). If ksu
was compiled with shared libraries, it may be best to install a new release
that has the library bug fixed.

      In the MIT Kerberos 5 releases, it may not be possible to disable
Kerberos 4 authentication in the ftpd program. Note that only releases
krb5-1.1 and later will have the ability to receive Kerberos 4
authentication.

      FIXES
      The best course of action is to patch the code in the krb4 library, in
addition to patching the code in the krshd program. The following patches
include some less essential patches that also affect buffer overruns in
potentially vulnerable code, but for which exploits are somewhat more
difficult to construct.

      Please note that there are two sets of patches in this file that apply
against identically named files in two different releases. You should
separate out the patch set that is relevant to you prior to applying them;
otherwise, you may inadvertently patch some files twice.

      MIT will soon release krb5-1.2, which will have these changes
incorporated.

      PATCHES AGAINST krb5-1.0.x
      The following are patches against 1.0.7-beta1 (roughly). The most
critical ones are:

        appl/bsd/krshd.c
        lib/krb4/rd_req.c
        lib/krb5/krb/conv_princ.c

      The rest are not as important but you may wish to apply them anyway
out of paranoia. These patches may apply with a little bit of fuzz against
releases prior to krb5-1.0.7-beta1, but there likely have not been
significant changes in the affected code. These patches may also apply
against KerbNet. The lib/krb4/rd_req.c patch may also apply against CNS and
MIT Kerberos 4.

     [Patches to correct this issue in Kerberos version 5-1.0.x were
included at this point in the MIT advisory. The CERT Coordination Center has
made these patches available at the following link:

        http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt
      -- CERT/CC]

      | PATCHES AGAINST krb5-1.1.1
      The following are patches against 1.1.1. The most critical ones are:

        appl/bsd/krshd.c
        lib/krb4/rd_req.c
        lib/krb5/krb/conv_princ.c

      IMPORTANT NOTE: If you are upgrading to krb5-1.1.1 (or krb5-1.1, but
we recommend krb5-1.1.1 if you are going to upgrade at all) and compile the
source tree with the --without-krb4 option, then you will also want to
install the patch to login.c that is also provided below.

      The rest are not as important but you may wish to apply them anyway
out of paranoia.

     [Patches to correct this issue in Kerberos version 5-1.1.1 were
included at this point in the MIT advisory. The CERT Coordination Center has
made these patches available at the following link:

        http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt
      -- CERT/CC]

      | ACKNOWLEDGMENTS
      Thanks to Jim Paris (MIT class of 2003) for pointing out the
krb_rd_req() vulnerability.

      Thanks to Nalin Dahyabhai of Redhat for pointing out some other buffer
overruns and coming up with patches.

The full text of the MIT Kerberos Team advisory is also available from:

  http://web.mit.edu/kerberos/www/advisories/krb4buf.txt
II. Impact
The most significant impact of these vulnerabilities may allow a remote
intruder to gain root access to systems running vulnerable services,
including the KDC for the domain.

Buffer overflow in krb_rd_req() library function
This vulnerability may be exploited by remote users to gain root privileges
on systems running services linked against the vulnerable library. As MIT
indicated, these services include (but may not be limited to):

  krshd
  klogind (if accepting Kerberos 4 authentication)
  telnetd (if accepting Kerberos 4 authentication)
  ftpd (if accepting Kerberos 4 authentication)
  rkinitd
  kpopd

Local users can execute arbitrary code as root on systems where v4rcp is
installed setuid root.

Buffer overflow in krb425_conv_principal() library function
This vulnerability can be exploited by remote users in conjunction with the
krb_rd_req vulnerability to gain root privileges on systems running services
linked against the vulnerable library.

Buffer overflow in krshd
Remote users may be able to execute arbitrary code as root on systems
running a vulnerable version of krshd.

Buffer overflow in ksu
Local users can can gain root privileges by exploiting the buffer overflow
in ksu.

III. Solution
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory. We
will update the appendix as we receive more information. If you do not see
your vendor's name, the CERT/CC did not hear from that vendor. Please
contact your vendor directly.

Apply the MIT patches
If you are running the Kerberos 5 distribution from MIT, and can rebuild
your binaries from source, you can apply the source code patches from MIT to
correct these problems.

If you are running Kerberos version 4, you may be able to patch your source
code based on the version 5 patch provided by MIT. Only the patches for the
krb_rd_req() vulnerability need to be applied to version 4 to address the
issues described in this advisory.

With either version, you will need to recompile the libraries and the
vulnerable programs (krshd and ksu). You will also need to recompile any
programs that have been statically linked with the vulnerable libraries. In
version 4, you should also recompile the KDC server software.

These patches are available at:

  http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt
  http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt
Disable version 4 authentication in version 5 if possible
As suggested by MIT, version 4 authentication in some daemons can be
disabled at run time by supplying command line options to these programs
when started by inetd. This approach may work for the following daemons:

  krshd
  klogind
  telnetd

This addresses the krb_rd_req() and krb425_conv_principal() vulnerabilities.
Note that krshd may still be vulnerable to the krshd specific vulnerability
described in this document.

Upgrade to MIT Kerberos 5 version 1.2
The vulnerabilities described in this advisory will be addressed in Kerberos
5 version 1.2. This version will be available from the MIT Kerberos web
site:

  http://web.mit.edu/kerberos/www/

Appendix A. Vendor Information
FreeBSD, Inc.
FreeBSD is not vulnerable by default, even for users who choose to install
the Kerberos distributions (FreeBSD uses KTH Kerberos, not MIT). There is a
port of MIT Kerberos 5 in the FreeBSD Ports Collection which was vulnerable
to this problem and has been corrected as of 2000/05/17. A FreeBSD Security
Advisory will be forthcoming.

IBM Corporation
The following APAR's are available for this vulnerability:

  a.. AIX 4.3.x:

    a.. IY10787
    b.. IY11450
    c.. IY10505

  b.. RS/6000 SP:

    a.. PSSP 2.2: IY10657
    b.. PSSP 2.3: IY10523
    c.. PSSP 2.4: IY10658
    d.. PSSP 3.1.1: IY10630
IBM AFS does not use the functions mentioned in this advisory and therefore
is not vulnerable.

Microsoft Corporation
No Microsoft products are affected by this vulnerability.

MIT Kerberos
The MIT Kerberos Team advisory on this topic is available from:

  http://web.mit.edu/kerberos/www/advisories/krb4buf.txt
NetBSD
NetBSD has two codebases for crypto software, a legacy of the US's export
laws until recently (and also some patent issues).

The crypto-intl tree intended for use by those outside the US was not
affected.

For the crypto-us tree,

  a.. krb5 was not affected
  b.. krb4 was affected, and has been fixed in NetBSD-current since Jeff's
announcement; this fix is making it's way into the 1.4.x release branch. We
will release an advisory and patches shortly.
In summary, users of NetBSD releases 1.4.2 and earlier or -current up until
yesterday, who have installed the crypto-us "secr" set and who have enabled
kerberos4, are vulnerable.

OpenBSD
OpenBSD uses the KTH Kerberos distribution, which has been reported to be
not vulnerable.

Washington University
We do not distribute any "default" binaries which uses Kerberos. In order to
get Kerberos support, you must rebuild the software specifically to use
Kerberos (the default build will not use Kerberos).

We believe that the University of Washington IMAP and POP3 servers are not
vulnerable. The message from MIT specifically stated that the problem was in
the Kerberos 4 routines from MIT.

Kerberos support in these servers is based upon Kerberos 5, not Kerberos 4.
UW imapd/ipop3d only uses GSSAPI and Kerberos 5 calls; Kerberos 4 routines
are never called.

There is an unsupported, contributed code, module for Kerberos 4 available i
n our software, but that is client only. We are not aware of the existence
of any Kerberos 4 server code for UW imapd/ipop3d.

---------------------------------------------------------------------------- 

----
The CERT Coordination Center thanks Jeff Schiller and the MIT Kerberos Team
for notifying us about this problem and their help in developing this
advisory.
----------------------------------------------------------------------------
----
Cory Cohen and Jeff Havrilla were the primary authors of the CERT/CC
portions of this document.
----------------------------------------------------------------------------
----
This document is available from:
http://www.cert.org/advisories/CA-2000-06.html
----------------------------------------------------------------------------
----
CERT/CC Contact Information
  Email: cert@cert.org
  Phone: +1 412-268-7090 (24-hour hotline)
  Fax: +1 412-268-6989
  Postal address:
  CERT Coordination Center
  Software Engineering Institute
  Carnegie Mellon University
  Pittsburgh PA 15213-3890
  U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other hours,
on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from
  http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web
site
  http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins, send
email to majordomo@cert.org. Please include in the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent
and Trademark Office.
----------------------------------------------------------------------------
----
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied as
to any matter including, but not limited to, warranty of fitness for a
particular purpose or merchantability, exclusivity or results obtained from
use of the material. Carnegie Mellon University does not make any warranty
of any kind with respect to freedom from patent, trademark, or copyright
infringement.
----------------------------------------------------------------------------
----
Conditions for use, disclaimers, and sponsorship information
Copyright 2000, 2001 Carnegie Mellon University, portions Copyright 2000 MIT
University.
Revision History
May 17, 2000:  Initial release
May 18, 2000:  FreeBSD response added
June 27, 2000:  IBM response added
September 14, 2001:	IBM response addendum
--
Joe Richards
www.joeware.net
---
"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:OkausuBhCHA.1364@tkmsftngp12...
> A previous post here in the past week suggested that it was not
vulnerable.
> You can probably find it by searching this newsgroup or
> microsoft.public.security or www.google.com/advanced_group_search
>
>
> "Bjørn Lunde" <bjornlunde@hotmail.com> wrote in message
> news:563601c283e6$867d71c0$36ef2ecf@tkmsftngxa12...
> Hello all
>
> Does anyone know if the buffer overflow vulnerability in
> kerberos 4 and 5 has any bearing on the Kerberos
> implementation in windows 2000?
>
> I have searched Microsofts security bulletins, but found
> nothing.
>
> A description of the vulnerability can be found at:
> http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-
> 002-kadm4.txt
>
>
>

Relevant Pages