__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN kadmin Vulnerable [MITKRB5-SA-2007-005] June 28, 2007 18:00 GMT Number R-287 [REVISED 29 June 2007] ______________________________________________________________________________ PROBLEM: The MIT krb5 Kerberos administration daemon (kadmin) is vulnerable to a stack buffer overflow and multiple vulnerabilities in the RPC library shipped with MIT krb5. PLATFORM: kadmin from MIT releases up to and including krb5-1.6.1 third-party applications calling the RPC library included in MIT releases up to and including krb5-1.6.1 Debian GNU/Linux 3.1 (sarge) and 4.0 (etch) DAMAGE: An authenticated user may run commands as root on the Kerberos server. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An authenticated user may run commands as ASSESSMENT: root on the Kerberos server. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-287.shtml ORIGINAL BULLETIN: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt ADDITIONAL LINKS: http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102985-1 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102914-1 https://rhn.redhat.com/errata/RHSA-2007-0562.html http://www.debian.org/security/2007/dsa-1323 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-2798 CVE-2007-2442 CVE-2007-2443 ______________________________________________________________________________ REVISION HISTORY: 06/29/2007 - revised R-287 to add a link to Debian Security Advisory DSA-1323-1 for Debian GNU/Linux 3.1 (sarge) and 4.0 (etch). [***** Start MITKRB5-SA-2007-005 *****] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2007-005 Original release: 2007-06-26 Last update: 2007-06-26 Topic: kadmind vulnerable to buffer overflow Severity: CRITICAL CVE: CVE-2007-2798 CERT: VU#554257 SUMMARY ======= The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow. Exploitation of overflows of stack buffers is known to be simple. We have received a proof-of-concept exploit which may invoke a shell, but we believe that this exploit is not publicly circulated. This is a bug in kadmind in MIT krb5. It is not a bug in the Kerberos protocol. IMPACT ====== An authenticated remote user may be able to cause a host running kadmind to execute arbitrary code. Successful exploitation can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing. AFFECTED SOFTWARE ================= * kadmind from MIT releases up to and including krb5-1.6.1 FIXES ===== * The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4 maintenance release, will contain fixes for this vulnerability. Prior to that release you may: * apply the patch This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite. The krb5-1.6.1 and krb5-1.5.3 releases already contains the prerequisite patch. This patch is also available at http://web.mit.edu/kerberos/advisories/2007-005-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc *** src/kadmin/server/server_stubs.c (revision 20024) - --- src/kadmin/server/server_stubs.c (local) *************** *** 545,557 **** static generic_ret ret; char *prime_arg1, *prime_arg2; - - char prime_arg[BUFSIZ]; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; char *errmsg; xdr_free(xdr_generic_ret, &ret); - --- 545,558 ---- static generic_ret ret; char *prime_arg1, *prime_arg2; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; char *errmsg; + size_t tlen1, tlen2, clen, slen; + char *tdots1, *tdots2, *cdots, *sdots; xdr_free(xdr_generic_ret, &ret); *************** *** 572,578 **** ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } ! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { - --- 573,586 ---- ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } ! tlen1 = strlen(prime_arg1); ! trunc_name(&tlen1, &tdots1); ! tlen2 = strlen(prime_arg2); ! trunc_name(&tlen2, &tdots2); ! clen = client_name.length; ! trunc_name(&clen, &cdots); ! slen = service_name.length; ! trunc_name(&slen, &sdots); ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { *************** *** 590,597 **** } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! log_unauth("kadm5_rename_principal", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); - --- 598,612 ---- } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! krb5_klog_syslog(LOG_NOTICE, ! "Unauthorized request: kadm5_rename_principal, " ! "%.*s%s to %.*s%s, " ! "client=%.*s%s, service=%.*s%s, addr=%s", ! tlen1, prime_arg1, tdots1, ! tlen2, prime_arg2, tdots2, ! clen, client_name.value, cdots, ! slen, service_name.value, sdots, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); *************** *** 600,607 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_rename_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); free(prime_arg1); - --- 615,629 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, ! "Request: kadm5_rename_principal, " ! "%.*s%s to %.*s%s, %s, " ! "client=%.*s%s, service=%.*s%s, addr=%s", ! tlen1, prime_arg1, tdots1, ! tlen2, prime_arg2, tdots2, errmsg, ! clen, client_name.value, cdots, ! slen, service_name.value, sdots, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); free(prime_arg1); REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2007-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798 CERT: VU#554257 http://www.kb.cert.org/vuls/id/554257 ACKNOWLEDGMENTS =============== We thank iDefense for the initial notification. iDefense credits an anonymous discoverer. DETAILS ======= The kadmind code which performs the principal renaming operation passes unchecked string arguments to a sprintf() call which has a fixed-size stack buffer as its destination. These strings are the old and new principal names passed to the rename operation. The attacker needs to authenticate to kadmind to perform this attack, but no administrative privileges are required because the vulnerable code executes prior to privilege verification. REVISION HISTORY ================ 2007-06-26 original release Copyright (C) 2007 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI 42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r Xfd3cRNQogQ= =JE8k -----END PGP SIGNATURE----- [***** End MITKRB5-SA-2007-005 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of MIT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-277: Security Vulnerability in Sun Java System Directory Server R-278: Security Vulnerability in Solaris 10 NFS XDR Handling R-279: Multiple Security Vulnerabilities in samba(7) R-280: MPlayer Vulnerability R-281: Apple Security Update 2007-006 R-282: libphp-phpmailer Security Vulnerability R-283: HP Help and Support Center Running on HP Notebook Computers VUlnerability R-284: Cerulean Studios Trillian Instant Messenger Vulnerability R-285: ClamAV R-286: 602pro Lan Suite 2003 Vulnerability