MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow

2007-06-26T00:00:00
ID SECURITYVULNS:DOC:17360
Type securityvulns
Reporter Securityvulns
Modified 2007-06-26T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

             MIT krb5 Security Advisory 2007-005

Original release: 2007-06-26 Last update: 2007-06-26

Topic: kadmind vulnerable to buffer overflow

Severity: CRITICAL

CVE: CVE-2007-2798 CERT: VU#554257

SUMMARY

The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow.

Exploitation of overflows of stack buffers is known to be simple. We have received a proof-of-concept exploit which may invoke a shell, but we believe that this exploit is not publicly circulated.

This is a bug in kadmind in MIT krb5. It is not a bug in the Kerberos protocol.

IMPACT

An authenticated remote user may be able to cause a host running kadmind to execute arbitrary code.

Successful exploitation can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing.

AFFECTED SOFTWARE

  • kadmind from MIT releases up to and including krb5-1.6.1

FIXES

  • The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4 maintenance release, will contain fixes for this vulnerability.

Prior to that release you may:

  • apply the patch

This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite. The krb5-1.6.1 and krb5-1.5.3 releases already contains the prerequisite patch.

This patch is also available at

http://web.mit.edu/kerberos/advisories/2007-005-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc

src/kadmin/server/server_stubs.c (revision 20024) - --- src/kadmin/server/server_stubs.c (local) ** 545,557 static generic_ret ret; char prime_arg1, prime_arg2; - - char prime_arg[BUFSIZ]; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t rp; char *errmsg;

  xdr_free(xdr_generic_ret, &ret);
  • --- 545,558 ---- static generic_ret ret; char prime_arg1, prime_arg2; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t rp; char errmsg;
  • size_t tlen1, tlen2, clen, slen;
  • char tdots1, tdots2, cdots, sdots;

    xdr_free(xdr_generic_ret, &ret);


572,578 * ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } ! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);

  ret.code = KADM5_OK;
  if (! CHANGEPW_SERVICE(rqstp)) {
  • --- 573,586 ---- ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } ! tlen1 = strlen(prime_arg1); ! trunc_name(&tlen1, &tdots1); ! tlen2 = strlen(prime_arg2); ! trunc_name(&tlen2, &tdots2); ! clen = client_name.length; ! trunc_name(&clen, &cdots); ! slen = service_name.length; ! trunc_name(&slen, &sdots);

    ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) {


    590,597 } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! log_unauth("kadm5_rename_principal", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_rename_principal((void )handle, arg->src, arg->dest); - --- 598,612 ---- } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! krb5_klog_syslog(LOG_NOTICE, ! "Unauthorized request: kadm5_rename_principal, " ! "%.s%s to %.s%s, " ! "client=%.s%s, service=%.s%s, addr=%s", ! tlen1, prime_arg1, tdots1, ! tlen2, prime_arg2, tdots2, ! clen, client_name.value, cdots, ! slen, service_name.value, sdots, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_rename_principal((void )handle, arg->src, arg->dest); ** 600,607 * else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

! log_done("kadm5_rename_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); free(prime_arg1); - --- 615,629 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);

! krb5_klog_syslog(LOG_NOTICE, ! "Request: kadm5_rename_principal, " ! "%.s%s to %.s%s, %s, " ! "client=%.s%s, service=%.s%s, addr=%s", ! tlen1, prime_arg1, tdots1, ! tlen2, prime_arg2, tdots2, errmsg, ! clen, client_name.value, cdots, ! slen, service_name.value, sdots, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); free(prime_arg1);

REFERENCES

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt

This announcement and related security advisories may be found on the MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

CVE: CVE-2007-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798

CERT: VU#554257 http://www.kb.cert.org/vuls/id/554257

ACKNOWLEDGMENTS

We thank iDefense for the initial notification. iDefense credits an anonymous discoverer.

DETAILS

The kadmind code which performs the principal renaming operation passes unchecked string arguments to a sprintf() call which has a fixed-size stack buffer as its destination. These strings are the old and new principal names passed to the rename operation. The attacker needs to authenticate to kadmind to perform this attack, but no administrative privileges are required because the vulnerable code executes prior to privilege verification.

REVISION HISTORY

2007-06-26 original release

Copyright (C) 2007 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI 42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r Xfd3cRNQogQ= =JE8k -----END PGP SIGNATURE-----