Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [Full-disclosure] iDefense Security Advisory 06.26.07: Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability



> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of iDefense Labs
> Sent: Tuesday, June 26, 2007 10:46 PM
> To: vulnwatch@xxxxxxxxxxxxx; 
> full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] iDefense Security Advisory 
> 06.26.07: Multiple Vendor Kerberos kadmind Rename Principal 
> Buffer Overflow Vulnerability
> 
> Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow
> Vulnerability
> 
> iDefense Security Advisory 06.26.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Jun 26, 2007
> 
> I. BACKGROUND
> 
> Kerberos is a network authentication protocol used in client-server
> systems to provide user authentication by using a ticket-based system.
> kadmind is the Kerberos administration server and is used to configure
> principals and policies on the Kerberos server, such as changing a
> password. More information can be found via the URL shown below.
> 
> http://www.mit.edu/afs/athena/astaff/project/kerberos/
> 
> II. DESCRIPTION
> 
> Remote exploitation of a buffer overflow vulnerability within MIT
> Kerberos kadmind allows attackers to execute arbitrary code with the
> privileges of the running service, usually root.
> 
> The vulnerability specifically exists within the code responsible for
> handling requests to rename principals. The rename_principal_2_svc
> function fails to properly bounds-check user-supplied data before
> copying it to a fixed-size stack buffer. The vulnerable code is shown
> below.
> 
>   542 generic_ret *
>   543 rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
>   544 {
>   545     static generic_ret          ret;
>   546     char                        *prime_arg1,
>   547                                 *prime_arg2;
>   548     char                        prime_arg[BUFSIZ];
>   ...
>   570     if (krb5_unparse_name(handle->context, arg->src, 
> &prime_arg1) ||
>   571         krb5_unparse_name(handle->context, arg->dest, 
> &prime_arg2)) {
>   572          ret.code = KADM5_BAD_PRINCIPAL;
>   573          goto exit_func;
>   574     }
>   575     sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
> 
> On lines 570 and 571 attacker supplied data is extracted from the
> kadmind server context. The buffer overflow occurs on line 575 when
> concatenating the source and destination principal names with the
> static text " to ".
> 
> III. ANALYSIS
> 
> Exploitation allows attackers to execute arbitrary code with the
> privileges of the running service, usually root.
> 
> Although the functionality where the vulnerability lies is designed to
> require administrator privileges, the problem actually occurs prior to
> credential verification. As a result, only a valid user session is
> required to exploit this vulnerability.
> 
> The kadmind server runs on the master Kerberos server, which holds the
> KDC principal and policy database. As such, a compromise of 
> this server
> could lead to a compromise of multiple hosts that use the server for
> authentication.
> 
> It should be noted that while Fedora CORE 6 was used for testing, code
> execution is not possible as it has been compiled with the
> "FORTIFY_SOURCE" compiler flag.
> 
> IV. DETECTION
> 
> iDefense confirmed the existence of this vulnerability within MIT
> Kerberos 1.5-21 as distributed with the Fedora CORE 6 Linux
> distribution. It has also been confirmed via source code review to
> exist in version 1.5.3 and version 1.6.1. All other distributions, as
> well as those for other computing platforms are suspected to be
> vulnerable.
> 
> V. WORKAROUND
> 
> iDefense is currently unaware of any effective workaround for this
> issue.
> 
> VI. VENDOR RESPONSE
> 
> The MIT Kerberos team has made patches available to address this
> vulnerability. For more information consult their advisory at the
> following URL.
> 
> http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-005.txt
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the
> name CVE-2007-2798 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 05/15/2007  Initial vendor notification
> 05/15/2007  Initial vendor response
> 06/26/2007  Coordinated public disclosure
> 
> IX. CREDIT
> 
> The discoverer of this vulnerability wishes to remain anonymous.
> 
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2007 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available 
> information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
>  There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 



 




Copyright © Lexa Software, 1996-2009.