-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5 Security Advisory 2007-001
Original release: 2007-04-03
Last update: 2007-04-03
Topic: telnetd allows login as arbitrary user
Severity: CRITICAL
CVE: CVE-2007-0956
CERT: VU#220816
SUMMARY
=======
The MIT krb5 telnet daemon (telnetd) allows unauthorized
login as an
arbitrary user, when presented with a specially crafted
username.
Exploitation of this vulnerability is trivial.
This is a vulnerability in an application program; it is not
a bug in
the MIT krb5 libraries or in the Kerberos protocol.
IMPACT
======
A user can gain unauthorized access to any account
(including root) on
a host running telnetd. Whether the attacker needs to
authenticate
depends on the configuration of telnetd on that host.
AFFECTED SOFTWARE
=================
* telnetd in all releases of MIT krb5, up to and including
krb5-1.6
FIXES
=====
* The upcoming krb5-1.6.1 release will contain a fix for
this
vulnerability.
Prior to that release you may:
* disable telnetd
or
* apply the patch
This patch is also available at
http://web.mit.edu/kerberos/advisories/2007-001-patch.t
xt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2007-001-pat
ch.txt.asc
*** src/appl/telnet/telnetd/state.c (revision 19480)
- --- src/appl/telnet/telnetd/state.c (local)
***************
*** 1665,1671 ****
strcmp(varp, "RESOLV_HOST_CONF") &&
/* linux */
strcmp(varp, "NLSPATH") && /*
locale stuff */
strncmp(varp, "LC_",
strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS")) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify
the environment variable "%s"", varp);
- --- 1665,1672 ----
strcmp(varp, "RESOLV_HOST_CONF") &&
/* linux */
strcmp(varp, "NLSPATH") && /*
locale stuff */
strncmp(varp, "LC_",
strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS") &&
! !strchr(varp, '-')) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify
the environment variable "%s"", varp);
*** src/appl/telnet/telnetd/sys_term.c (revision 19480)
- --- src/appl/telnet/telnetd/sys_term.c (local)
***************
*** 1287,1292 ****
- --- 1287,1302 ----
#endif
#if defined (AUTHENTICATION)
if (auth_level >= 0 && autologin ==
AUTH_VALID) {
+ if (name[0] == '-') {
+ /* Authenticated and authorized to log in to an
+ account starting with '-'? Even if that
+ unlikely case comes to pass, the current login
+ program will not parse the resulting command
+ line properly. */
+ syslog(LOG_ERR, "user name cannot start with
'-'");
+ fatal(net, "user name cannot start with
'-'");
+ exit(1);
+ }
# if !defined(NO_LOGIN_F)
#if defined(LOGIN_CAP_F)
argv = addarg(argv, "-F");
***************
*** 1377,1387 ****
} else
#endif
if (getenv("USER")) {
! argv = addarg(argv, getenv("USER"));
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
argv = addarg(argv, *cpp);
}
#endif
- --- 1387,1405 ----
} else
#endif
if (getenv("USER")) {
! char *user = getenv("USER");
! if (user[0] == '-') {
! /* "telnet -l-x ..." */
! syslog(LOG_ERR, "user name cannot start with
'-'");
! fatal(net, "user name cannot start with
'-'");
! exit(1);
! }
! argv = addarg(argv, user);
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
+ if ((*cpp)[0] != '-')
argv = addarg(argv, *cpp);
}
#endif
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MIT
KRB5-SA-2007-001-telnetd.txt
This announcement and related security advisories may be
found on the
MIT Kerberos security advisory page at:
htt
p://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit
.edu/kerberos/index.html
CVE: CVE-2007-0956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
7-0956
CERT: VU#220816
http://www.kb.c
ert.org/vuls/id/220816
ACKNOWLEDGMENTS
===============
This vulnerability was found when attempting to confirm the
absence of
a related vulnerability in the Solaris telnetd.
[CVE-2007-0882]
DETAILS
=======
The MIT krb5 telnet daemon fails to adequately check the
provided
username. A malformed username beginning with
"-e" can be interpreted
as a command-line flag by the login.krb5 program, which is
executed by
telnetd. This causes login.krb5 to execute part of the BSD
rlogin
protocol, where an arbitrary username may be injected,
allowing login
as that user without a password or any further
authentication.
If the telnet daemon is configured to only permit
authenticated login,
then only authenticated users can exploit this
vulnerability.
REVISION HISTORY
================
2007-04-03 original release
Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
iQCVAwUBRhKVRabDgE/zdoE9AQIzPAQAj8a7ShfHXVVMOPQhEyoN/Ydnalnf
a2xE
cl7UXFSjmkexalD+rymL0upLFw7EVgnYrVazc+AUhDLt1AZmCl5Lj2+WAcl1
QYPu
fEGm2SFaS4Eda6NRb6xZ4BeY8zfRWFN2G8Bb5krpGj+oEX/c3Xg8O4oUyiJB
YBQi
TXhryamn6Yw=
=aE5C
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-anno
unce
________________________________________________
Kerberos mailing list Kerberosmit.edu
htt
ps://mailman.mit.edu/mailman/listinfo/kerberos
|
