Kerberos4 Compatibility Administration Daemon Overflow

2002-10-21T00:00:00
ID OSVDB:4870
Type osvdb
Reporter Sam Hartman (hartmans@mit.edu), Tom Yu(tlyu@mit.edu), Love Hornquist-Astrand(lha@netbsd.org), Johan Danielsson(joda@pdc.kth.se)
Modified 2002-10-21T00:00:00

Description

Vulnerability Description

A remote overflow exists in several implementations of Kerberos 4 and legacy compatibility for Kerberos 4 in kerberos 5 distributions. The kadmind daemon fails to do proper bounds checking, resulting in a stack overflow. With a specially crafted request, an attacker can cause the daemon to execute arbitrary commands on the server, resulting in a loss of integrity.

Technical Description

An attacker does not need to be authenticated to exploit this vulnerability. A successfull attack would yeld remote root privileges on the system, due to the fact that the affected daemon runs as root. Several reports advise that at least one exploit is actively beeing used on the wild.

Solution Description

Refer to vendor and/or distribution specific corrective actions. KTH Heimdal users may upgrade to 0.5.1 and/or eBones 1.2.1 or higher, as it has been reported to fix this vulnerability. MIT and Heimdal released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround:

  • In kerberos 5 implementations, disable support for the legacy keberos 4 administration protocol.

Short Description

A remote overflow exists in several implementations of Kerberos 4 and legacy compatibility for Kerberos 4 in kerberos 5 distributions. The kadmind daemon fails to do proper bounds checking, resulting in a stack overflow. With a specially crafted request, an attacker can cause the daemon to execute arbitrary commands on the server, resulting in a loss of integrity.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL RedHat RHSA: RHSA-2002:250 RedHat RHSA: RHSA-2002:242 Other Advisory URL: http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-073.php Other Advisory URL: http://www.debian.org/security/2002/dsa-185 Other Advisory URL: http://www.debian.org/security/2002/dsa-184 Other Advisory URL: http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000534 Other Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc Other Advisory URL: http://www.debian.org/security/2002/dsa-183 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-10/0399.html Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103582805330339&w=2 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103564944215101&w=2 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103582517126392&w=2 Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103539530729206&w=2 Keyword: krb4,krb5,kadmind4 ISS X-Force ID: 10430 Generic Informational URL: http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt CVE-2002-1235 CERT VU: 875073 CERT: CA-2002-29 Bugtraq ID: 6024