> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of iDefense Labs
> Sent: Tuesday, June 26, 2007 10:46 PM
> To: vulnwatch@xxxxxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] iDefense Security Advisory
> 06.26.07: Multiple Vendor Kerberos kadmind Rename Principal
> Buffer Overflow Vulnerability
>
> Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow
> Vulnerability
>
> iDefense Security Advisory 06.26.07
>
> Jun 26, 2007
>
> I. BACKGROUND
>
> Kerberos is a network authentication protocol used in client-server
> systems to provide user authentication by using a ticket-based system.
> kadmind is the Kerberos administration server and is used to configure
> principals and policies on the Kerberos server, such as changing a
> password. More information can be found via the URL shown below.
>
>
>
> II. DESCRIPTION
>
> Remote exploitation of a buffer overflow vulnerability within MIT
> Kerberos kadmind allows attackers to execute arbitrary code with the
> privileges of the running service, usually root.
>
> The vulnerability specifically exists within the code responsible for
> handling requests to rename principals. The rename_principal_2_svc
> function fails to properly bounds-check user-supplied data before
> copying it to a fixed-size stack buffer. The vulnerable code is shown
> below.
>
> 542 generic_ret *
> 543 rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
> 544 {
> 545 static generic_ret ret;
> 546 char *prime_arg1,
> 547 *prime_arg2;
> 548 char prime_arg[BUFSIZ];
> ...
> 570 if (krb5_unparse_name(handle->context, arg->src,
> &prime_arg1) ||
> 571 krb5_unparse_name(handle->context, arg->dest,
> &prime_arg2)) {
> 572 ret.code = KADM5_BAD_PRINCIPAL;
> 573 goto exit_func;
> 574 }
> 575 sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
>
> On lines 570 and 571 attacker supplied data is extracted from the
> kadmind server context. The buffer overflow occurs on line 575 when
> concatenating the source and destination principal names with the
> static text " to ".
>
> III. ANALYSIS
>
> Exploitation allows attackers to execute arbitrary code with the
> privileges of the running service, usually root.
>
> Although the functionality where the vulnerability lies is designed to
> require administrator privileges, the problem actually occurs prior to
> credential verification. As a result, only a valid user session is
> required to exploit this vulnerability.
>
> The kadmind server runs on the master Kerberos server, which holds the
> KDC principal and policy database. As such, a compromise of
> this server
> could lead to a compromise of multiple hosts that use the server for
> authentication.
>
> It should be noted that while Fedora CORE 6 was used for testing, code
> execution is not possible as it has been compiled with the
> "FORTIFY_SOURCE" compiler flag.
>
> IV. DETECTION
>
> iDefense confirmed the existence of this vulnerability within MIT
> Kerberos 1.5-21 as distributed with the Fedora CORE 6 Linux
> distribution. It has also been confirmed via source code review to
> exist in version 1.5.3 and version 1.6.1. All other distributions, as
> well as those for other computing platforms are suspected to be
> vulnerable.
>
> V. WORKAROUND
>
> iDefense is currently unaware of any effective workaround for this
> issue.
>
> VI. VENDOR RESPONSE
>
> The MIT Kerberos team has made patches available to address this
> vulnerability. For more information consult their advisory at the
> following URL.
>
>
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-2798 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 05/15/2007 Initial vendor notification
> 05/15/2007 Initial vendor response
> 06/26/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2007 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -
>
