MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 MIT krb5 Security Advisory 2007-006

Original release: 2007-09-04
Last update: 2007-09-04

Topic: kadmind RPC lib buffer overflow, uninitialized pointer

[CVE-2007-3999/VU#883632]

RPC library buffer overflow

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 10

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete

CVSSv2 Temporal Score: 7.8

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

[CVE-2007-4000/VU#377544]

kadmind uninitialized pointer

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

See DETAILS for the expanded CVSSv2 metrics for this vulnerability.

SUMMARY

This advisory concerns two vulnerabilities. CVE-2007-3999 is much easier to exploit than CVE-2007-4000.

[CVE-2007-3999]
The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow in the RPCSEC_GSS authentication flavor of the RPC library. Third-party applications using the RPC library provided with MIT krb5 may also be affected.

We have received a proof-of-concept exploit that does not appear to execute malicious code, and we believe that this exploit is not publicly circulated.

This is a bug in the RPC library in MIT krb5. It is not a bug in the Kerberos protocol.

[CVE-2007-4000]
The MIT krb5 Kerberos administration daemon (kadmind) can write data through an uninitialized pointer. We know of no working exploit code for this vulnerability, and do not believe that any exploit code for this vulnerability is circulating.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This is a bug in the kadmind in MIT krb5. It is not a bug in the Kerberos protocol.

IMPACT

[CVE-2007-3999] An unauthenticated remote user may be able to cause a
host running kadmind to execute arbitrary code.

[CVE-2007-4000] An authenticated user with "modify policy" privilege
may be able to cause a host running kadmind to execute arbitrary code.

Successful exploitation of either vulnerability can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing.

Third-party applications calling the RPC library provided with MIT krb5 may be vulnerable to CVE-2007-3999.

AFFECTED SOFTWARE

[CVE-2007-3999]

• kadmind in MIT releases krb5-1.4 through krb5-1.6.2
• third-party RPC server programs linked against the RPC library included in MIT releases krb5-1.4 through krb5-1.6.2
• MIT releases prior to krb5-1.4 did not contain the vulnerable code

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

[CVE-2007-4000]

• kadmind in MIT releases krb5-1.5 through krb5-1.6.2
• MIT releases prior to krb5-1.5 did not contain the vulnerable code

FIXES

• The upcoming krb5-1.6.3 release, as well as the upcoming krb5-1.5.5 maintenance release, will contain fixes for this vulnerability.

Prior to that release you may apply the following patch. Note that releases prior to krb5-1.5 will not need the svr_policy.c patch.

• src/lib/kadm5/srv/svr_policy.c (revision 20254) - --- src/lib/kadm5/srv/svr_policy.c (local)

  ---

• 211,218 **** if((mask & KADM5_POLICY)) return KADM5_BAD_MASK;

!     ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt);
!     if( ret && (cnt==0) )
  	return KADM5_UNK_POLICY;
  
      if ((mask & KADM5_PW_MAX_LIFE))
- --- 211,219 ----
      if((mask & KADM5_POLICY))
  	return KADM5_BAD_MASK;
  		
!     if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
! 	return ret;
!     if (cnt != 1)
  	return KADM5_UNK_POLICY;
  
      if ((mask & KADM5_PW_MAX_LIFE))
*** src/lib/rpc/svc_auth_gss.c	(revision 20254)
- --- src/lib/rpc/svc_auth_gss.c	(local)

• 339,345 **** oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); ! if (oa->oa_length) { memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); buf += RNDUP(oa->oa_length) / sizeof(int32_t); } - --- 339,345 ---- oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); ! if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) { memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); buf += RNDUP(oa->oa_length) / sizeof(int32_t); }

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2007-006-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2007-006-patch.txt.asc

REFERENCES

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt

This announcement and related security advisories may be found on the MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html     http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

CVE: CVE-2007-3999
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3999

CERT: VU#883632
http://www.kb.cert.org/vuls/id/883632

CVE: CVE-2007-4000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4000

CERT: VU#377544
http://www.kb.cert.org/vuls/id/377544

ACKNOWLEDGMENTS

CVE-2007-3999 was discovered by Tenable Network Security and reported to MIT Kerberos Team by the Zero Day Initiative (ZDI) of the TippingPoint division of 3Com.

CVE-2007-4000 was discovered by Garrett Wollman of MIT CSAIL.

DETAILS

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

[CVE-2007-3999]
The implementation of the RPCSEC_GSS authentication flavor copies untrusted data having an inadequately-validated length into a buffer on the stack. In the function svcauth_gss_validate() in src/lib/rpc/svc_auth_gss.c, which authenticates the incoming RPC message, a memcpy() invocation copies a number of bytes into the 128-byte stack buffer "rpchdr". The length provided to this memcpy() invocation comes from the RPC header and may be maliciously chosen. The invocation of xdr_callmsg(), which provides the decoded rpc_msg structure used by svcauth_gss_validate(), ensures that the provided length does not exceed MAX_AUTH_BYTES, which is 400, but destination buffer is smaller than this size, and can be trivially overflowed.

The vulnerable code executes prior to the completion of authentication of the RPC message, and therefore requires no authentication to exploit.

Exploitation of stack buffer overflows is trivial on many platforms.

[CVE-2007-4000]
CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score: 7.1

Access Vector:          Network
Access Complexity:      High
Authentication:         Single
Confidentiality Impact: Complete
Integrity Impact:       Complete

CVSSv2 Temporal Score: 5.6

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

The function kadm5_modify_policy_internal() in src/lib/kadm5/srv/svr_policy.c, does not check return values from krb5_db_get_policy() correctly. When the policy does not exist, krb5_db_get_policy() returns zero but sets the count retrieved records to zero without initializing the output pointer. Subsequent code in kadm5_modify_policy_internal() can attempt to write data through this pointer, causing memory corruption.

This vulnerability was not present in MIT releases prior to krb5-1.5. In the krb5-1.5 release, changes related to the implementation of the Database Abstraction Layer introduced this vulnerability.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

REVISION HISTORY

2007-09-04 original release

Copyright (C) 2007 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRt2eBabDgE/zdoE9AQKxOQP+PQW4p5KjJjeJf7oGQgNqdWZVxvgR90Pn eCmgrgiOupGHAr8U3bhoyNSLMMBGl4BcTh1JF7iCm0MUiishD1vEenw+OVne4QR4 bVWDufAplHzxyVu4nXoEGA/2OXOOlMTHUAST1t4htEi/FbaJoVZZqXqmdMhpIN9k yA55MUV1cUc=
=zETh
-----END PGP SIGNATURE----- Received on Tue Sep 4 15:31:57 2007