MIT Kerberos (krb5) krshd and v4rcp do not properly validate setuid() or seteuid() calls

Overview

Privilege escalation vulnerabilities in MIT krb5 krshd and v4rcp may allow an authenticated attacker to execute arbitrary code.

Description

The MIT krb 5 krshd and v4rcp programs contain multiple privilege escalation vulnerabilities. MIT krb5 Security Advisory 2006-001 states that the vulnerabilities “…result when the OS implementations of setuid() or seteuid() can fail due to resource exhaustion when changing to an unprivileged user ID.”

From MIT krb5 Security Advisory 2006-001:

The following vulnerabilities may result from unchecked calls to setuid(), and are believed to only exist on Linux and AIX:

* _Unchecked calls to setuid() in krshd may allow a local privilege escalation leading to execution of programs as root._
* _Unchecked calls to setuid() in the v4rcp may allow a local privilege escalation leading to reading, writing, or creating files as root. v4rcp is the remote end of a krb4-authenticated rcp operation, but may be executed directly by an attacker, as it is a setuid program._  

---

Impact

An authenticated, remote attacker may be able to execute arbitrary code with root privileges.

---

Solution

Apply a patch or upgradeFrom MIT krb5 Security Advisory 2006-001: “The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes for these vulnerabilities.” MIT has also released patches for krb 5-1.5 and krb5-1.4.3. See the Systems Affected section of this document for information about specific vendors.

---

Disable vulnerable programs

From MIT krb5 Security Advisory 2006-001: “Disable krshd and v4rcp, and remove the setuid bit from the ksu binary and the ftpd binary.”

---

Vendor Information

580124

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Gentoo Linux __ Affected

Notified: July 28, 2006 Updated: August 16, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See Gentoo Linux Security Advisory GLSA 200608-15 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23580124 Feedback>).

IBM Corporation __ Affected

Notified: August 08, 2006 Updated: August 08, 2006

Status

Affected

Vendor Statement

Kerberos is available for AIX via Network Authentication Service. Network Authentication Service is not affected by the issues mentioned in CERT Vulnerability Notes VU#580124 (CVE-2006-3083) and VU#401660 (CVE-2006-3084).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MIT Kerberos Development Team __ Affected

Updated: August 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MIT krb5 Security Advisory 2006-001.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23580124 Feedback>).

Apple Computer, Inc. __ Not Affected

Notified: July 28, 2006 Updated: August 18, 2006

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server are not susceptible to the issues described in this vulnerability note.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

AttachmateWRQ, Inc. __ Not Affected

Notified: July 28, 2006 Updated: August 23, 2006

Status

Not Affected

Vendor Statement

No versions of the Attachmate Reflection Kerberos Client are subject to these privilege escalation vulnerabilities. The Reflection Kerberos Client is not based on the MIT code base and runs only on Microsoft Windows operating systems.

For the latest Attachmate security update information, Attachmate recommends you regularly check the Security Updates and Reflection web page at: <http://support.wrq.com/techdocs/1708.html&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. __ Not Affected

Notified: July 28, 2006 Updated: August 08, 2006

Status

Not Affected

Vendor Statement

Juniper Networks products are not susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CyberSafe, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux __ Unknown

Notified: July 28, 2006 Updated: August 24, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See Debian Security Advisory DSA-1146-1 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23580124 Feedback>).

EMC, Inc. (formerly Data General Corporation) Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Heimdal Kerberos Project Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

KTH Kerberos Team Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc. __ Unknown

Notified: July 28, 2006 Updated: August 24, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See Mandrivia advisory MDKSA-2006:139 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23580124 Feedback>).

Microsoft Corporation Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: July 28, 2006 Updated: July 28, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 45 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt&gt;
• <http://www.die.net/doc/linux/man/man8/kshd.8.html&gt;
• <http://www.die.net/doc/linux/man/man1/v4rcp.1.html&gt;

Acknowledgements

These vulnerabilities were reported by the MIT Kerberos Development Team.

This document was written by Ryan Giobbi and Art Manion.

Other Information

CVE IDs:	CVE-2006-3083
Severity Metric:	6.91 Date Public: