Kerberos 4 Key Server Session Key Masquerade

1996-02-21T00:00:00
ID OSVDB:4880
Type osvdb
Reporter OSVDB
Modified 1996-02-21T00:00:00

Description

Vulnerability Description

An attacker querries a Kerberos server with a valid Kerberos username and realm, then runs a dictionary attack on the Ticket Granting Ticket returned. As all TGT's contain the string "krbtgt", once the attacker finds this string in a decrypted packet he knows he has found the key for the username given.

This exploit does require that the attacker already posess a valid username and know the kerberos realm. A separate exploit is available which allows the attacker to determine this information. The two indirect references above reference this information gathering method.

Solution Description

Upgrade to Kerberos version 5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

An attacker querries a Kerberos server with a valid Kerberos username and realm, then runs a dictionary attack on the Ticket Granting Ticket returned. As all TGT's contain the string "krbtgt", once the attacker finds this string in a decrypted packet he knows he has found the key for the username given.

This exploit does require that the attacker already posess a valid username and know the kerberos realm. A separate exploit is available which allows the attacker to determine this information. The two indirect references above reference this information gathering method.

References:

Other Advisory URL: http://www.securityfocus.com/advisories/579 ISS X-Force ID: 64 CVE-1999-0143 CERT: CA-1996-03 Bugtraq ID: 2351