From tlyu at MIT.EDU Tue Jan 9 14:07:47 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 09 Jan 2007 14:07:47 -0500 Subject: MITKRB5-SA-2006-002: kadmind (via RPC lib) calls uninitialized function pointer Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2006-002 Original release: 2007-01-09 Last update: 2007-01-09 Topic: kadmind (via RPC library) calls uninitialized function pointer Severity: CRITICAL CVE: CVE-2006-6143 CERT: VU#481564 SUMMARY ======= The Kerberos administration daemon, "kadmind", can execute arbitrary code by calling through a function pointer located in freed memory. This vulnerability results from bugs in the server-side portion of the RPC library. Third-party server applications written using the RPC library provided with MIT krb5 may also be vulnerable. No exploit code is known to exist at this time. IMPACT ====== An unauthenticated user may cause execution of arbitrary code in kadmind, which can compromise the Kerberos key database and host security. (kadmind usually runs as root.) Unsuccessful exploitation, or even accidental replication of the required conditions by non-malicious users, can result in kadmind crashing. An unauthenticated user may cause execution of arbitrary code in third-party server applications which use the RPC library. AFFECTED SOFTWARE ================= * kadmind from MIT releases krb5-1.4 through krb5-1.4.4 * kadmind from MIT releases krb5-1.5 through krb5-1.5.1 * third-party applications calling the RPC library included in MIT releases krb5-1.4 through krb5-1.4.4 * third-party applications calling the RPC library included in MIT releases krb5-1.5 through krb5-1.5.1 * Earlier releases may not be affected because the changes causing this vulnerability were introduced in krb5-1.4. FIXES ===== * The upcoming krb5-1.6 release will contain a fix for this problem. Additionally, the upcoming krb5-1.5.2 patch release will contain this fix. * Apply the following patch: Index: src/lib/rpc/svc.c =================================================================== *** src/lib/rpc/svc.c (revision 18864) - --- src/lib/rpc/svc.c (working copy) *************** *** 437,442 **** - --- 437,444 ---- #endif } + extern struct svc_auth_ops svc_auth_gss_ops; + static void svc_do_xprt(SVCXPRT *xprt) { *************** *** 518,523 **** - --- 520,528 ---- if ((stat = SVC_STAT(xprt)) == XPRT_DIED){ SVC_DESTROY(xprt); break; + } else if ((xprt->xp_auth != NULL) && + (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) { + xprt->xp_auth = NULL; } } while (stat == XPRT_MOREREQS); This patch is also available at: http://web.mit.edu/kerberos/advisories/2006-002-patch.txt A PGP-signed version of the patch is at: http://web.mit.edu/kerberos/advisories/2006-002-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-002-rpc.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2006-6143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6143 CERT: VU#481564 http://www.kb.cert.org/vuls/id/481564 ACKNOWLEDGMENTS =============== Thanks to Andrew Korty from Indiana University for reporting this problem and for assisting with debugging. DETAILS ======= Error handling in svc_do_xprt() calls SVC_DESTROY(), which calls SVCAUTH_DESTROY(), which calls through a function pointer in a SVCAUTH structure. The SVCAUTH structure may reside in uninitialized or freed memory, so the function pointer may point to malicious or invalid code, resulting in application crashes or execution of arbitrary malicious code. On the server side of the RPC library, each RPC transport socket has a corresponding SVCXPRT structure. Every UDP listener has one SVCXPRT, as does every TCP listener. UDP listeners do not create a new SVCXPRT structure for each client; TCP listeners do create a new SVCXPRT structure for each client. Each SVCXPRT structure contains a SVCAUTH pointer named "xp_auth". The RPC call authentication functions set this SVCAUTH pointer, and SVCAUTH_WRAP() and SVCAUTH_UNWRAP() subsequently use this SVCAUTH pointer to perform encryption and decryption of RPC arguments and replies. During a call, svc_do_xprt() uses the SVCAUTH pointer variable "xprt", previously set by looking up the transport's socket file descriptor, to call various functions to perform actual processing of the call. The AUTH_GSSAPI authentication flavor authentication function, gssrpc__svcauth_gssapi(), sets xprt->xp_auth to point into an allocated internal client state structure. This occurs prior to authentication actually succeeding; an attacker may not need to successfully authenticate to exploit this vulnerability. AUTH_GSSAPI periodically scans all its client state structures for expired GSS-API contexts, and destroys them. The client state structures do not record which xprt->xp_auth points into them; as a result, the destruction of client state structures can result in some xprt->xp_auth pointing into freed memory. When svc_do_xprt() encounters error conditions, it calls SVC_DESTROY(), which then calls SVCAUTH_DESTROY(xprt->xp_auth) if xprt->xp_auth is not NULL. Most of the functions called through svc_do_xprt() do initialize xprt->xp_auth, but because SVC_RECV() does not, errors in SVC_RECV() (such as a client closing its TCP socket) will result in xprt->xp_auth containing whatever value it had at the conclusion of the immediately preceding call which used that SVCXPRT. SVCAUTH_DESTROY() calls through a function pointer in xprt->xp_auth. If xprt->xp_auth points into freed memory, this call could jump to malicious code. This vulnerability may be easy to exploit if the attacker can control the heap contents and writable process memory is executable. The RPCSEC_GSS authentication flavor currently erroneously depends on xprt->xp_auth remaining constant across calls, so the simple strategy of unconditionally setting xprt->xp_auth to NULL will cause connections using RPCSEC_GSS authentication to fail. We plan to address this bug in a future release. REVISION HISTORY ================ 2007-01-09 original release Copyright (C) 2006 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRaL90KbDgE/zdoE9AQKSPwP/TfCAdMA3WQmch7TJQqU8IZF4TyLe6N8N HJLLKOrEV/ZRyX8nZ+VJuK4FHYEZ02A2hlh3KG3+JQEuB2ChrCxhZz+3sttZJ7rE /kTmjFwP0BNwIolQ4wYHaVUSGhqK71fJxWt9LIP1Xt/D2dpF0JzmpsvARsfn7yE1 YRQyFUGwRkc= =2Oi2 -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue Jan 9 14:07:54 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 09 Jan 2007 14:07:54 -0500 Subject: MITKRB5-SA-2006-003: kadmind (via GSS-API lib) frees uninitialized pointers Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2006-003 Original release: 2007-01-09 Last update: 2007-01-09 Topic: kadmind (via GSS-API mechglue) frees uninitialized pointers Severity: CRITICAL CVE: CVE-2006-6144 CERT: VU#831452 SUMMARY ======= The Kerberos administration daemon, "kadmind", can free uninitialized pointers, possibly leading to arbitrary code execution. This vulnerability results from memory management bugs in the "mechglue" abstraction interface of the GSS-API implementation. Third-party applications written using the GSS-API may also be vulnerable. Exploitation of this vulnerability is believed to be difficult. No exploit code is known to exist at this time. IMPACT ====== An unauthenticated user may cause execution of arbitrary code in kadmind, which can compromise the Kerberos key database and host security. (kadmind usually runs as root.) Unsuccessful exploitation, or even accidental replication of the required conditions by non-malicious users, can result in kadmind crashing. An unauthenticated user may cause execution of arbitrary code in third-party applications which use the GSS-API library. AFFECTED SOFTWARE ================= * kadmind from MIT releases krb5-1.5 through krb5-1.5.1 * third-party applications calling the GSS-API library included in MIT releases krb5-1.5 through krb5-1.5.1 * Earlier releases may not be affected because the relevant code was not compiled. FIXES ===== * The upcoming krb5-1.6 release will contain a fix for this problem. Additionally, the upcoming krb5-1.5.2 patch release will contain this fix. * Apply the patch at: http://web.mit.edu/kerberos/advisories/2006-003-patch.txt A PGP-signed version of the patch is at: http://web.mit.edu/kerberos/advisories/2006-003-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-003-mechglue.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2006-6144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6144 CERT: VU#831452 http://www.kb.cert.org/vuls/id/831452 ACKNOWLEDGMENTS =============== This vulnerability was found while investigating a related vulnerability reported by Andrew Korty of Indiana University. DETAILS ======= The specifications for the GSS-API C bindings, including RFC 2744, require that all GSS-API calls which may return pointers to allocated memory to initialize the pointers, even in error conditions. The implementation of the "mechglue" abstraction interface can execute error-handling paths which do not complete initialization of output parameters. As a result, callers which do not initialize return structures such as gss_buffer_desc may call destructor functions such as gss_release_buffer on values containing uninitialized pointers. In kadmind, the log_badverf() function calls gss_display_name() without checking its return value and without initializing the gss_buffer_desc structures passed to gss_display_name(). If gss_display_name() encounters certain error conditions, it does not initialize the gss_buffer_t output argument passed to it. The log_badverf() function then logs the returned strings, and calls gss_release_buffer() on these gss_buffer_desc structures. When RPCSEC_GSS is used, kadmind uses a NULL server name, so at least one of the calls to gss_display_name() will always fail in that case. The act of logging these strings will typically cause a memory access fault if the uninitialized pointers have values pointing into invalid address space, which may prevent harmful effects in gss_release_buffer() because the program will have crashed. It is inadvisable to depend on this possibility, because an attacker may be able to manipulate the uninitialized pointers to take on values pointing into valid address space. REVISION HISTORY ================ 2007-01-09 original release Copyright (C) 2006 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRaL92KbDgE/zdoE9AQJ8DAQAiYr6UPRR5twDUVvBLjhdGriKSYPRaOoe re7ROX9BZ1fAAxldLH2Eela50gAAvnqYkAUyB1RH0Qi9OyEudEbeAUH7PLAR42lE +Tt/OGH6jF6Uju/6wTfqLUPXCoBf8l9h2lojTuHYSGWvbz8Cth5vzpJSOGIM9cu7 YIFqXWFgoqs= =/Rxc -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue Jan 9 21:11:45 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 09 Jan 2007 21:11:45 -0500 Subject: krb5-1.6 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.6. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.6 ================================= You may retrieve the Kerberos 5 Release 1.6 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.6 release is: http://web.mit.edu/kerberos/krb5-1.6/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES ============= * Partial client implementation to handle server name referrals. * Pre-authentication plug-in framework, donated by Red Hat. * LDAP KDB plug-in, donated by Novell. * Fix for MITKRB5-SA-2006-002: the RPC library could call an uninitialized function pointer, which created a security vulnerability for kadmind. * Fix for MITKRB5-SA-2006-003: the GSS-API mechglue layer could fail to initialize some output pointers, causing callers to attempt to free uninitialized pointers. This caused a security vulnerability in kadmind. Note that the implementation of referral handling involves a change to the behavior of krb5_sname_to_principal() to return a zero-length realm name if it is unable to find the realm corresponding to the hostname. This special realm name signals the ticket-acquisition code to request KDC canonicalization of service principal names. Other library code has changed to accommodate this new behavior. This particular method of implementing service principal name referral handling may change in the future; we invite discussion on this subject. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRaRLZabDgE/zdoE9AQKt3AP/a8lm1ueqdnyZRmnGPfOy3nMOuUoDFe3l ZTYskV8J2zuQCjrUWPncGmihxJ9bx+4SKJyY7R2WcXC0Jq0Bk6/XuPNwsFDaRLJy BFQw8VVPDhUeh39lluVj2ltZawwbM14J/2anpNNO/Xf9QEl8od7a442AOwivn6iM KeueI9DMvYo= =1bMh -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue Jan 9 21:11:51 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 09 Jan 2007 21:11:51 -0500 Subject: krb5-1.5.2 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.5.2. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.5.2 =================================== You may retrieve the Kerberos 5 Release 1.5.2 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.5.2 release is: http://web.mit.edu/kerberos/krb5-1.5/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES ============= * Fix for MITKRB5-SA-2006-002: the RPC library could call an uninitialized function pointer, which created a security vulnerability for kadmind. * Fix for MITKRB5-SA-2006-003: the GSS-API mechglue layer could fail to initialize some output pointers, causing callers to attempt to free uninitialized pointers. This caused a security vulnerability in kadmind. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRaRLaqbDgE/zdoE9AQJBiQP6A3JbgQ4GRVbJVR+v4723XsKDp2Lq23OK KejjfWyWPU28haiXoXIy652gIqDCmLfENVwfuHkmOQ6fiesPWBqUMvUqO+ER3uxz oTJc1asgQMcpvWlZ1vnmetz077drNr4yhF18lGeV8rb4TXl6U6RUglhrcHyYfgqm uYPmB8Zl254= =HKWc -----END PGP SIGNATURE----- From tlyu at MIT.EDU Sat Mar 10 16:21:23 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Sat, 10 Mar 2007 16:21:23 -0500 Subject: Kerberos for Windows version 3.1.1 updates DST behavior Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT Kerberos for Windows version 3.1.1 contains installers which update the MS Visual C++ .NET 2003 C Runtime Libraries to provide correct Daylight Saving Time rules when the TZ environment variable is set. The kfw-3.1.1 installers contain the kfw-3.1.0 binaries and the updated C Runtime Libraries. For existing installations, no change is required unless the TZ environment variable is in use. If it is, upgrading the KfW installation is required. MIT Kerberos for Windows releases 2.6.5 and above use versions of the Microsoft Visual C++ .NET 2003 C Runtime Libraries which do not correctly compute the start of DST for the 2007 United States DST rule changes if the TZ environment variable is set. The TZ environment variable is normally not set, but it may have been set in order to support compatibility with specific applications. Binaries and source code can be downloaded from the MIT Kerberos web site: http://web.mit.edu/kerberos/dist/index.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRfMhV6bDgE/zdoE9AQK7hAP+LDxutvJqEsuwrzSQzp82HNnbZ/BKIPCp m9qq4MN72IbWOWvwW7QN0VIF638CRfEkJwZioJs2sdXJm+bDeLgAklKqvZgZPvia 6VBxtvvzdIRg6cW1Kp7ODWy9eShJU2KTmex2Rn9E0A66lTJ0QvsIzX8Wvf3Md+uF xvvrPDolhhg= =Eel5 -----END PGP SIGNATURE-----