-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5 Security Advisory 2007-002
Original release: 2007-04-03
Last update: 2007-04-03
Topic: KDC, kadmind stack overflow in krb5_klog_syslog
Severity: CRITICAL
CVE: CVE-2007-0957
CERT: VU#704024
SUMMARY
=======
The library function krb5_klog_syslog() can write past the
end of a
stack buffer. The Kerberos administration daemon (kadmind)
as well as
the KDC, are vulnerable. Exploitation of this vulnerability
is
probably simple.
This is a vulnerability in the the kadm5 library, which is
used by the
KDC and kadmind, and possibly by some third-party
applications. It is
not a bug in the MIT krb5 protocol libraries or in the
Kerberos
protocol.
IMPACT
======
An authenticated user may be able to cause a host running
kadmind to
execute arbitrary code.
An authenticated user may be able to cause a KDC host to
execute
arbitrary code. Also, a user controlling a Kerberos realm
sharing a
key with the target realm may be able to cause a KDC host to
execute
arbitrary code.
Successful exploitation can compromise the Kerberos key
database and
host security on the host running these programs. (kadmind
and the
KDC typically run as root.) Unsuccessful exploitation
attempts will
likely result in the affected program crashing.
Third-party applications which call krb5_klog_syslog() may
also be
vulnerable.
AFFECTED SOFTWARE
=================
* MIT krb5 releases through krb5-1.6
FIXES
=====
* The upcoming krb5-1.6.1 release will contain a fix for
this
vulnerability.
Prior to that release you may:
* apply the patch
The patch is available at
http://web.mit.edu/kerberos/advisories/2007-002-patch.t
xt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2007-002-pat
ch.txt.asc
Systems which definitely provide vsnprintf() may not need
the entire
patch; see "DETAILS".
Please note that releases prior to krb5-1.5 will require
additional
changes to the configure script src/lib/kadm5/configure in
order to
correctly detect the presence of vsnprintf(). krb5-1.5
and later
releases already check for vsnprintf() in the top-level
configure
script, and do not have a separate src/lib/kadm5/configure
script.
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITK
RB5-SA-2007-002-syslog.txt
This announcement and related security advisories may be
found on the
MIT Kerberos security advisory page at:
htt
p://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit
.edu/kerberos/index.html
CVE: CVE-2007-0957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200
7-0957
CERT: VU#704024
http://www.kb.c
ert.org/vuls/id/704024
ACKNOWLEDGMENTS
===============
We thank iDefense Labs for notifying us of this
vulnerability.
iDefense credits an anonymous discoverer.
DETAILS
=======
krb5_klog_syslog() uses vsprintf() to format text into a
fixed-length
stack buffer. Format specifiers such as "%s" used
in calls to
krb5_klog_syslog() may allow formatting of strings of
sufficient
length to overwrite memory past the end of the stack
buffer.
Certain strings received from the client by the kadmin
daemon are not
truncated prior to logging. Among these strings is the
target
principal for the kadmin operation.
The KDC truncates most client-originated strings prior to
logging.
One sort of string which is not truncated is a
transited-realms
string. A malicious KDC sharing a key with the target realm
may issue
tickets with specially-crafted transited-realms strings to
exploit
this vulnerability. There are other places where an
authenticated
user may cause the KDC to log a string which triggers the
vulnerability.
On a system where vsnprintf() is confirmed to be available,
the
patches to files other than src/lib/kadm5/logger.c may not
be
necessary to prevent a buffer overflow; these patches are
still useful
to prevent malicious users from causing vsnprintf() to
obliterate
useful log information by means of truncation.
REVISION HISTORY
================
2007-04-03 original release
Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
iQCVAwUBRhKVS6bDgE/zdoE9AQJlZgQAq/IvVdpkf3VNViwuZaAJ31+mqq17
gKqX
9DkxkvpPD2b5/8N/ouywP/ODCpYpT9Y+mU+Cw/hEfL2otv/o1HJcV7CXPRCE
FODs
YKpi2Sahcxs+jl1ZQfsY63oay6urZ0PTcrZTFQuqOv8B0wVd0XUwrSkBLejZ
szL3
YUFR4W+wtbg=
=GsBC
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-anno
unce
_______________________________________________
krbdev mailing list krbdevmit.edu
https
://mailman.mit.edu/mailman/listinfo/krbdev
|
