MIT Kerberos 5 RPC library RPCSEC_GSS buffer overflow

2007-12-03T00:00:00
ID SAINT:B2FAAF96F724892FF09F8E2FBC95C803
Type saint
Reporter SAINT Corporation
Modified 2007-12-03T00:00:00

Description

Added: 12/03/2007
CVE: CVE-2007-3999
BID: 25534
OSVDB: 37324

Background

Kerberos is a network authentication protocol which provides strong authentication for client/server applications. MIT Kerberos 5 is a free implementation of this protocol.

Problem

A buffer overflow in the svcauth_gss_validate function in the MIT Kerberos 5 RPC library allows remote attackers to send arbitrary commands by sending a specially crafted RPCSEC_GSS authentication context to the Kerberos administration daemon (kadmind).

Resolution

Upgrade to krb5-1.5.5 or krb5-1.6.3 or higher or apply the patch found in MIT krb5 Security Advisory 2007-006. Alternatively, apply a fix from your operating system vendor.

References

<http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt>
<http://www.zerodayinitiative.com/advisories/ZDI-07-052.html>

Limitations

Exploit works on MIT Kerberos 5 krb5-1.5.4 on Red Hat Enterprise Linux 4 Update 4 with ExecShield disabled.

Platforms

Linux