MIT krb5 Security Advisory 2005-003
Original release: 2005-07-12
Topic: double-free in krb5_recvauth
Severity: CRITICAL
The krb5_recvauth() function can free previously freed memory under
some error conditions. This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm. No exploit code is known to exist at this time. Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689, VU#623332]
An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth(). This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm. Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.
The kpropd daemon in all releases of MIT krb5, up to and including
krb5-1.4.1, is vulnerable.
The klogind and krshd remote-login daemons in all releases of MIT
krb5, up to and including krb5-1.4.1, is vulnerable.
Third-party application programs which call krb5-recvauth() are also
vulnerable.
The upcoming krb5-1.4.2 release will have a fix for this
vulnerability.
Apply the following patch. This patch was generated against the
krb5-1.4.1 release. It may apply, with some offset, to earlier
releases.
The patch may also be found at:
http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c 3 Sep 2002 01:13:47 -0000 5.38
— lib/krb5/krb/recvauth.c 23 May 2005 23:19:15 -0000
*** 76,82****
if ((retval = krb5_read_message(context, fd, &inbuf)))
return(retval);
if (strcmp(inbuf.data, sendauth_version)) {
krb5_xfree(inbuf.data);
problem = KRB5_SENDAUTH_BADAUTHVERS;
}
krb5_xfree(inbuf.data);
— 76,81 ----
*** 90,96****
if ((retval = krb5_read_message(context, fd, &inbuf)))
return(retval);
if (appl_version && strcmp(inbuf.data, appl_version)) {
krb5_xfree(inbuf.data);
if (!problem)
problem = KRB5_SENDAUTH_BADAPPLVERS;
}
— 89,94 ----
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVE: CAN-2005-1689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689
CERT: VU#623332
http://www.kb.cert.org/vuls/id/623332
Thanks to Magnus Hagander for reporting this vulnerability.
The helper function revcauth_common() in lib/krb5/krb/recvauth.c has
two locations which call krb5_read_message(), followed by an
unconditional krb5_xfree() of the buffer allocated by
krb5_read_message(). In the cases where the sendauth version string
or the application version string do not match the expected value,
recvauth_common() performs a krb5_xfree() on the buffer allocated by
krb5_read_message() preceding the subsequent unconditional call to
krb5_xfree() on the same buffer.
Since the code paths which call krb5_xfree() twice do so with almost
no intervening code, exploitation of this vulnerability may be more
difficult than exploitation of other double-free vulnerabilities. No
detailed analysis has been performed on the ease of exploitation.
2005-05-12 original release
Copyright (C) 2005 Massachusetts Institute of Technology