From tlyu at MIT.EDU Tue Jul 10 22:59:46 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 10 Jul 2007 22:59:46 -0400 Subject: krb5-1.6.2 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.6.2. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.6.2 =================================== You may retrieve the Kerberos 5 Release 1.6.2 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.6.2 release is: http://web.mit.edu/kerberos/krb5-1.6/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES ============= * fix MITKRB5-SA-2007-004: kadmind affected by multiple RPC library vulnerabilities [CVE-2007-2442/VU#356961, CVE-2007-2443/VU#365313] * fix MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow [CVE-2007-2798/VU#554257] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRpRHpqbDgE/zdoE9AQJ9pgP/fyCmzbkez/F6TG9FnIsreaAzhcnjSj8p g9xaK8U9d9X5pBZSZ1qKySEm0a/ZMLzrQPU7g6WhjrhN/butHDDc7xLFp4JieZGv a2sBhhYFn7IX+lg3nmCttqQQFnqeWbD+OZP6FVzNvlN1jm4KXBSUl0msB57YJysF s3qsUWv5fhc= =Luq2 -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue Jul 10 22:59:54 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 10 Jul 2007 22:59:54 -0400 Subject: krb5-1.5.4 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.5.4. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. This is a security fix release. Note that the krb5-1.5.x release series is in maintenance, meaning that only critical bugs (including security vulnerabilities) will be fixed. Please use a release from the krb5-1.6.x series if possible. RETRIEVING KERBEROS 5 RELEASE 1.5.4 =================================== You may retrieve the Kerberos 5 Release 1.5.4 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.5.4 release is: http://web.mit.edu/kerberos/krb5-1.6/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES ============= * fix MITKRB5-SA-2007-004: kadmind affected by multiple RPC library vulnerabilities [CVE-2007-2442/VU#356961, CVE-2007-2443/VU#365313] * fix MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow [CVE-2007-2798/VU#554257] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRpRHtKbDgE/zdoE9AQJvDAP/V2OpphIlAMbv0DIwB/5s9FPzdOBtK117 dRYCXQQJVtFK1Tbe8FS2f3aQGGtVdWca71HQFFDbQOMY/pyv0lu8x6MucBsF/fpA T1r7ebbinR9lw5bV6fFJGO7wRuTljPNy6j/4xsjceC+vwu9muTCZ6p/8eK6ZuZ+d z2Zl8IB+/Zg= =35DZ -----END PGP SIGNATURE----- From tlyu at MIT.EDU Thu Aug 16 18:31:37 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Thu, 16 Aug 2007 18:31:37 -0400 Subject: Kerberos for Windows 3.2.1 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to announce the release of MIT's Kerberos for Windows product, Version 3.2.1. Please send bug reports and feedback to kfw-bugs at mit.edu. Supported Versions of Microsoft Windows ======================================= This release requires 32-bit editions of Microsoft Windows 2000 and higher or the WOW64 environment of 64-bit editions of Microsoft Windows XP and higher. Downloads ========= Binaries and source code can be downloaded from the MIT Kerberos web site: http://web.mit.edu/kerberos/dist/index.html What's New in KFW 3.2.1: ======================== * Network Identity Manager Application o The default identity background color has been removed. o The Basic view updates to reflect deleted and modified identities. o The watermark can be controlled by a registry setting. * Kerberos v5 Library Improvements o Based on krb5-1.6.2 What's New in KFW 3.2: ====================== * Network Identity Manager Application o A simplified basic mode has been added to the "obtain new credentials dialog". The basic mode replaces the credential browser with a button that can be used to access the advanced configuration functions. This advanced mode provides the credential browser and a tabbed view of the configuration dialogs for each of the available credential providers. o A simplified default application view that shows only the status of the active identities. o A new command-line option to netidmgr.exe is available to shutdown a running instance of Network Identity Manager. Specify "-x" or "--exit" to force the existing instance to terminate. o The use of ellipsis on menu items now follows the Windows Style Guide. Ellipsis is only used when additional information is required from the user before carrying out the designated action. If displaying a dialog is the action, no ellipsis is used. o Improved handling of window focus when opening and closing modal dialogs. o Reduce the number of alerts presented to the user by combining duplicates into a single alert. o Do not generate alerts if there is nothing that the user can do to correct the situation. Alerts that are displayed provide actions the user can take if desired. o Renew and Destroy menus provide "All" and "Individual identity names" as choices. o The Renew and Destroy toolbar buttons provide dropdown menus permitting the action to be applied to either "All" or one specific identity. o The "default" action of left clicking the notification icon is now configurable. The default configuration is "open/close NIM window". The alternate is to open the new credentials dialog. This can be specified by the user on the General Options page. o The alerter window can now display multiple alerts simultaneously. o Ensure that the NIM window is displayed on an active desktop. If not, move it to the primary desktop and center it. o New Basic mode display that shows only the state of the identity and its expiration time. Use F7 or View->Advanced to switch to the previous display that is configurable by the user to show details about each credential. o New Color Scheme derived from current Windows Desktop Color Scheme. o Improved display updating algorithms reduce flicker o The proper icon sizes are now used in the information bubble and the status bar. o Task Bar buttons are created for visible windows and dialogs o Plug-in Help can now be added to the Help menu o Improved HtmlHelp user documentation with Indexing o Improved HtmlHelp developer documentation with Indexing o Improved PDF user documentation * Network Identity Manager Kerberos v5 Support o Do not show cached prompts to user if they have expired o Correct the possibility that a krb5_ccache handle might be freed twice. o Import settings from Kerberos Profile if there are no equivalent defaults specified in the registry. Support per-realm settings. o An identity that matches the MSLSA will not renew its credentials from the MSLSA if the user obtained the credentials from elsewhere. o When importing an identity from the MSLSA that has never been seen before, create an entry in the identity database. o Do not attempt to renew non-renewable identities o Permit an identity to be configured as the default identity even if it doesn't have any credentials. * Kerberos v5 Library Improvements o Based on MIT release 1.6+ o On Vista MSLSA: krb5_ccache can be used to store tickets including TGTs for alternative principals to the LSA credential cache o On Vista a more efficient interface for enumerating the contents of the LSA credential cache is available. o Vista support is only built if the Vista SDK version of NTSecAPI.H is used. o On Vista, if a process is UAC limited, the MSLSA will report that no tickets are present in the cache rather than return tickets with invalid session keys. o get_os_ccname() uses GetEnvironmentVariable() instead of getenv() to read the KRB5CCNAME environment variable. This allows the correct default credential cache name to be returned by krb5_cc_default_name(). This works around a problem where a gssapi application would trigger an Obtain New Credentials prompt from NIM only to have it obtain the wrong credential cache. * Winsock Helper Library Improvements o DNS queries that terminate with a dot would not properly match the hostnames listed within the DNS response preventing a successful return. This resulted in "kinit -4" failing to find the KDCs. * Integrated Logon Improvements o Remove the reliance on the Windows Logon Event handler and replace it with a LogonScript that executes kfwlogon.dll via a call to rundll32.exe. This change permits the integrated logon functionality to work on all supported platforms: Windows 2000 to Windows Vista. o Disable the use of integrated logon if the Network Provider is called as a result of a non-interactive logon. The non-interactive logon does not process the specified LogonScript. As a result, the intermediate credential cache file would not be processed nor cleaned up. o Obtained credentials are stored into an API credential cache whose name is API: o Add a debugging mode which when activated logs to the Windows Application Event Log. [HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider] DWORD "Debug" * Leash32 Library Changes o Modify the leash functions to use krb5_string_to_deltat() to parse ticket_lifetime and renew_lifetime from the profile. Previously the leash functions expected those fields to be integer representation of minutes without the use of any units. This change is for consistency with KFM and the rest of the krb5 library. o Modify the private functions acquire_tkt_for_princ() and acquire_tkt_no_princ() that are called from gssapi32.dll so that they will work on Windows Vista and so that the MSLSA: principal is only imported if it matches the default identity and no credentials for that identity are present. o Remove all AFS functionality. Microsoft Vista User Account Control (UAC) ========================================== Microsoft Vista UAC mode prevents accounts that are members of the local Administrators group from accessing Kerberos session keys from the LSA credentials cache. The MIT Kerberos MSLSA krb5_ccache type will not report the existence of Kerberos tickets which do not have valid session keys. Users are encouraged to login to Microsoft Vista with accounts that are not members of the local machine Administrators group in order to obtain the best single sign-on experience with MIT Kerberos for Windows and Network Identity Manager. Acknowledgments =============== Thanks to Stanford University for funding Secure Endpoints Inc.'s implementation of many of the Network Identity Manager user experience improvements including the user configurable default action, the revised "Obtain New Credentials" dialog, the new default application view, and the improved alert management. Secure Endpoints Inc. wishes to acknowledge the work of Asanka Herath on Network Identity Manager (NIM). NIM would not be the same without him. For information on Secure Endpoints Inc.'s future plans for NIM please see http://www.secure-endpoints.com/netidmgr/roadmap.html A special thanks to Kevin Koch, the newest member of the MIT Kerberos team, for his work on the automated build scripts used to produce this release. Important notice regarding Kerberos 4 support ============================================= In the past few years, several developments have shown the inadequacy of the security of version 4 of the Kerberos protocol. These developments have led the MIT Kerberos Team to begin the process of ending support for version 4 of the Kerberos protocol. The plan involves the eventual removal of Kerberos 4 support from the MIT implementation of Kerberos. The Data Encryption Standard (DES) has reached the end of its useful life. DES is the only encryption algorithm supported by Kerberos 4, and the increasingly obvious inadequacy of DES motivates the retirement of the Kerberos 4 protocol. The National Institute of Standards and Technology (NIST), which had previously certified DES as a US government encryption standard, has officially announced[1] the withdrawal of the Federal Information Processing Standards (FIPS) for DES. NIST's action reflects the long-held opinion of the cryptographic community that DES has too small a key space to be secure. Breaking DES encryption by an exhaustive search of its key space is within the means of some individuals, many companies, and all major governments. Consequently, DES cannot be considered secure for any long-term keys, particularly the ticket-granting key that is central to Kerberos. Serious protocol flaws[2] have been found in Kerberos 4. These flaws permit attacks which require far less effort than an exhaustive search of the DES key space. These flaws make Kerberos 4 cross-realm authentication an unacceptable security risk and raise serious questions about the security of the entire Kerberos 4 protocol. The known insecurity of DES, combined with the recently discovered protocol flaws, make it extremely inadvisable to rely on the security of version 4 of the Kerberos protocol. These factors motivate the MIT Kerberos Team to remove support for Kerberos version 4 from the MIT implementation of Kerberos. The process of ending Kerberos 4 support began with release 1.3 of MIT Kerberos 5. In release 1.3, the default run-time configuration of the KDC disables support for version 4 of the Kerberos protocol. Release 1.4 of MIT Kerberos continues to include Kerberos 4 support (also disabled in the KDC with the default run-time configuration), but we intend to completely remove Kerberos 4 support from some future release of MIT Kerberos. The MIT Kerberos Team has ended active development of Kerberos 4, except for the eventual removal of all Kerberos 4 functionality. We will continue to provide critical security fixes for Kerberos 4, but routine bug fixes and feature enhancements are at an end. We recommend that any sites which have not already done so begin a migration to Kerberos 5. Kerberos 5 provides significant advantages over Kerberos 4, including support for strong encryption, extensibility, improved cross-vendor interoperability, and ongoing development and enhancement. If you have questions or issues regarding migration to Kerberos 5, we recommend discussing them on the kerberos at mit.edu mailing list. References [1] National Institute of Standards and Technology. Announcing Approval of the Withdrawal of Federal Information Processing Standard (FIPS) 43-3, Data Encryption Standard (DES); FIPS 74, Guidelines for Implementing and Using the NBS Data Encryption Standard; and FIPS 81, DES Modes of Operation. Federal Register 05-9945, 70 FR 28907-28908, 19 May 2005. DOCID:fr19my05-45 [2] Tom Yu, Sam Hartman, and Ken Raeburn. The Perils of Unauthenticated Encryption: Kerberos Version 4. In Proceedings of the Network and Distributed Systems Security Symposium. The Internet Society, February 2004. http://web.mit.edu/tlyu/papers/krb4peril-ndss04.pdf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRsTQTqbDgE/zdoE9AQKttgP9Gxsee1McT4ic6/ZaXBW6/1Kd4jpcQjCh 8Bl4akvQUTPfcnwDRjcDfM7YYPEyZurSelrP8WiKyymBMyKOqs0rEFvrvUevLIvz EzMh0bQJkaetlHmzGiAQuBZB7SFEDBXEGhG6Ko1VePrBw+hLgZrlidlRtr9Y0Tgn MP/zif3bPhs= =zLSJ -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue Sep 4 14:15:56 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 04 Sep 2007 14:15:56 -0400 Subject: MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2007-006 Original release: 2007-09-04 Last update: 2007-09-04 Topic: kadmind RPC lib buffer overflow, uninitialized pointer [CVE-2007-3999/VU#883632] RPC library buffer overflow CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed [CVE-2007-4000/VU#377544] kadmind uninitialized pointer CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C See DETAILS for the expanded CVSSv2 metrics for this vulnerability. SUMMARY ======= This advisory concerns two vulnerabilities. CVE-2007-3999 is much easier to exploit than CVE-2007-4000. [CVE-2007-3999] The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow in the RPCSEC_GSS authentication flavor of the RPC library. Third-party applications using the RPC library provided with MIT krb5 may also be affected. We have received a proof-of-concept exploit that does not appear to execute malicious code, and we believe that this exploit is not publicly circulated. This is a bug in the RPC library in MIT krb5. It is not a bug in the Kerberos protocol. [CVE-2007-4000] The MIT krb5 Kerberos administration daemon (kadmind) can write data through an uninitialized pointer. We know of no working exploit code for this vulnerability, and do not believe that any exploit code for this vulnerability is circulating. This is a bug in the kadmind in MIT krb5. It is not a bug in the Kerberos protocol. IMPACT ====== [CVE-2007-3999] An unauthenticated remote user may be able to cause a host running kadmind to execute arbitrary code. [CVE-2007-4000] An authenticated user with "modify policy" privilege may be able to cause a host running kadmind to execute arbitrary code. Successful exploitation of either vulnerability can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing. Third-party applications calling the RPC library provided with MIT krb5 may be vulnerable to CVE-2007-3999. AFFECTED SOFTWARE ================= [CVE-2007-3999] * kadmind in MIT releases krb5-1.4 through krb5-1.6.2 * third-party RPC server programs linked against the RPC library included in MIT releases krb5-1.4 through krb5-1.6.2 * MIT releases prior to krb5-1.4 did not contain the vulnerable code [CVE-2007-4000] * kadmind in MIT releases krb5-1.5 through krb5-1.6.2 * MIT releases prior to krb5-1.5 did not contain the vulnerable code FIXES ===== * The upcoming krb5-1.6.3 release, as well as the upcoming krb5-1.5.5 maintenance release, will contain fixes for this vulnerability. Prior to that release you may apply the following patch. Note that releases prior to krb5-1.5 will not need the svr_policy.c patch. *** src/lib/kadm5/srv/svr_policy.c (revision 20254) - --- src/lib/kadm5/srv/svr_policy.c (local) *************** *** 211,218 **** if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; ! ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); ! if( ret && (cnt==0) ) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) - --- 211,219 ---- if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; ! if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) ! return ret; ! if (cnt != 1) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) *** src/lib/rpc/svc_auth_gss.c (revision 20254) - --- src/lib/rpc/svc_auth_gss.c (local) *************** *** 339,345 **** oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); ! if (oa->oa_length) { memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); buf += RNDUP(oa->oa_length) / sizeof(int32_t); } - --- 339,345 ---- oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); ! if (oa->oa_length && oa->oa_length <= sizeof(rpchdr)) { memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); buf += RNDUP(oa->oa_length) / sizeof(int32_t); } This patch is also available at http://web.mit.edu/kerberos/advisories/2007-006-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-006-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2007-3999 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3999 CERT: VU#883632 http://www.kb.cert.org/vuls/id/883632 CVE: CVE-2007-4000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4000 CERT: VU#377544 http://www.kb.cert.org/vuls/id/377544 ACKNOWLEDGMENTS =============== CVE-2007-3999 was discovered by Tenable Network Security and reported to MIT Kerberos Team by the Zero Day Initiative (ZDI) of the TippingPoint division of 3Com. CVE-2007-4000 was discovered by Garrett Wollman of MIT CSAIL. DETAILS ======= [CVE-2007-3999] The implementation of the RPCSEC_GSS authentication flavor copies untrusted data having an inadequately-validated length into a buffer on the stack. In the function svcauth_gss_validate() in src/lib/rpc/svc_auth_gss.c, which authenticates the incoming RPC message, a memcpy() invocation copies a number of bytes into the 128-byte stack buffer "rpchdr". The length provided to this memcpy() invocation comes from the RPC header and may be maliciously chosen. The invocation of xdr_callmsg(), which provides the decoded rpc_msg structure used by svcauth_gss_validate(), ensures that the provided length does not exceed MAX_AUTH_BYTES, which is 400, but destination buffer is smaller than this size, and can be trivially overflowed. The vulnerable code executes prior to the completion of authentication of the RPC message, and therefore requires no authentication to exploit. Exploitation of stack buffer overflows is trivial on many platforms. [CVE-2007-4000] CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.1 Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 5.6 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The function kadm5_modify_policy_internal() in src/lib/kadm5/srv/svr_policy.c, does not check return values from krb5_db_get_policy() correctly. When the policy does not exist, krb5_db_get_policy() returns zero but sets the count retrieved records to zero without initializing the output pointer. Subsequent code in kadm5_modify_policy_internal() can attempt to write data through this pointer, causing memory corruption. This vulnerability was not present in MIT releases prior to krb5-1.5. In the krb5-1.5 release, changes related to the implementation of the Database Abstraction Layer introduced this vulnerability. REVISION HISTORY ================ 2007-09-04 original release Copyright (C) 2007 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRt2eBabDgE/zdoE9AQKxOQP+PQW4p5KjJjeJf7oGQgNqdWZVxvgR90Pn eCmgrgiOupGHAr8U3bhoyNSLMMBGl4BcTh1JF7iCm0MUiishD1vEenw+OVne4QR4 bVWDufAplHzxyVu4nXoEGA/2OXOOlMTHUAST1t4htEi/FbaJoVZZqXqmdMhpIN9k yA55MUV1cUc= =zETh -----END PGP SIGNATURE----- From tlyu at MIT.EDU Wed Sep 5 16:44:55 2007 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 05 Sep 2007 16:44:55 -0400 Subject: updated patch: MITKRB5-SA-2007-006: kadmind RPC lib buffer overflow, uninitialized pointer Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team has discovered a problem with the originally published patch for svc_auth_gss.c [CVE-2007-3999], which allowed a 32-byte overflow. Depending on the compilation environment and machine architecture, this may or may not be a significant continued vulnerability. The new patch in the updated advisory (below) correctly checks the buffer length. Thanks to Kevin Coffman (UMich), Will Fiveash (Sun), and Nico Williams (Sun) for discovering the bug in the initial CVE-2007-3999 patch and for help with developing the revised patch for CVE-2007-3999. ==================== MIT krb5 Security Advisory 2007-006 Original release: 2007-09-04 Last update: 2007-09-05 Topic: kadmind RPC lib buffer overflow, uninitialized pointer [CVE-2007-3999/VU#883632] RPC library buffer overflow CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed [CVE-2007-4000/VU#377544] kadmind uninitialized pointer CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C See DETAILS for the expanded CVSSv2 metrics for this vulnerability. SUMMARY ======= This advisory concerns two vulnerabilities. CVE-2007-3999 is much easier to exploit than CVE-2007-4000. [CVE-2007-3999] The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow in the RPCSEC_GSS authentication flavor of the RPC library. Third-party applications using the RPC library provided with MIT krb5 may also be affected. We have received a proof-of-concept exploit that does not appear to execute malicious code, and we believe that this exploit is not publicly circulated. This is a bug in the RPC library in MIT krb5. It is not a bug in the Kerberos protocol. [CVE-2007-4000] The MIT krb5 Kerberos administration daemon (kadmind) can write data through an uninitialized pointer. We know of no working exploit code for this vulnerability, and do not believe that any exploit code for this vulnerability is circulating. This is a bug in the kadmind in MIT krb5. It is not a bug in the Kerberos protocol. IMPACT ====== [CVE-2007-3999] An unauthenticated remote user may be able to cause a host running kadmind to execute arbitrary code. [CVE-2007-4000] An authenticated user with "modify policy" privilege may be able to cause a host running kadmind to execute arbitrary code. Successful exploitation of either vulnerability can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing. Third-party applications calling the RPC library provided with MIT krb5 may be vulnerable to CVE-2007-3999. AFFECTED SOFTWARE ================= [CVE-2007-3999] * kadmind in MIT releases krb5-1.4 through krb5-1.6.2 * third-party RPC server programs linked against the RPC library included in MIT releases krb5-1.4 through krb5-1.6.2 * MIT releases prior to krb5-1.4 did not contain the vulnerable code [CVE-2007-4000] * kadmind in MIT releases krb5-1.5 through krb5-1.6.2 * MIT releases prior to krb5-1.5 did not contain the vulnerable code FIXES ===== * The patch for CVE-2007-3999 has been revised; the patch originally released for svc_auth_gss.c allowed a 32-byte overflow. Depending on the compilation environment and machine architecture, this may or may not be a significant continued vulnerability. The new patch below correctly checks the buffer length. * The upcoming krb5-1.6.3 release, as well as the upcoming krb5-1.5.5 maintenance release, will contain fixes for this vulnerability. Prior to that release you may apply the following patch. Note that releases prior to krb5-1.5 will not need the svr_policy.c patch. *** src/lib/kadm5/srv/svr_policy.c (revision 20254) - --- src/lib/kadm5/srv/svr_policy.c (local) *************** *** 211,218 **** if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; ! ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); ! if( ret && (cnt==0) ) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) - --- 211,219 ---- if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; ! if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) ! return ret; ! if (cnt != 1) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) *** src/lib/rpc/svc_auth_gss.c (revision 20474) - --- src/lib/rpc/svc_auth_gss.c (local) *************** *** 355,360 **** - --- 355,369 ---- memset(rpchdr, 0, sizeof(rpchdr)); /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */ + oa = &msg->rm_call.cb_cred; + if (oa->oa_length > MAX_AUTH_BYTES) + return (FALSE); + + /* 8 XDR units from the IXDR macro calls. */ + if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + + RNDUP(oa->oa_length))) + return (FALSE); + buf = (int32_t *)(void *)rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); IXDR_PUT_ENUM(buf, msg->rm_direction); *************** *** 362,368 **** IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) { - --- 371,376 ---- This patch is also available at http://web.mit.edu/kerberos/advisories/2007-006-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-006-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2007-3999 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3999 CERT: VU#883632 http://www.kb.cert.org/vuls/id/883632 CVE: CVE-2007-4000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4000 CERT: VU#377544 http://www.kb.cert.org/vuls/id/377544 ACKNOWLEDGMENTS =============== Thanks to Kevin Coffman (UMich), Will Fiveash (Sun), and Nico Williams (Sun) for discovering the bug in the initial CVE-2007-3999 patch and for help with developing the revised patch for CVE-2007-3999. CVE-2007-3999 was discovered by Tenable Network Security and reported to MIT Kerberos Team by the Zero Day Initiative (ZDI) of the TippingPoint division of 3Com. CVE-2007-4000 was discovered by Garrett Wollman of MIT CSAIL. DETAILS ======= [CVE-2007-3999] The implementation of the RPCSEC_GSS authentication flavor copies untrusted data having an inadequately-validated length into a buffer on the stack. In the function svcauth_gss_validate() in src/lib/rpc/svc_auth_gss.c, which authenticates the incoming RPC message, a memcpy() invocation copies a number of bytes into the 128-byte stack buffer "rpchdr". The length provided to this memcpy() invocation comes from the RPC header and may be maliciously chosen. The invocation of xdr_callmsg(), which provides the decoded rpc_msg structure used by svcauth_gss_validate(), ensures that the provided length does not exceed MAX_AUTH_BYTES, which is 400, but destination buffer is smaller than this size, and can be trivially overflowed. The vulnerable code executes prior to the completion of authentication of the RPC message, and therefore requires no authentication to exploit. Exploitation of stack buffer overflows is trivial on many platforms. [CVE-2007-4000] CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.1 Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 5.6 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The function kadm5_modify_policy_internal() in src/lib/kadm5/srv/svr_policy.c, does not check return values from krb5_db_get_policy() correctly. When the policy does not exist, krb5_db_get_policy() returns zero but sets the count retrieved records to zero without initializing the output pointer. Subsequent code in kadm5_modify_policy_internal() can attempt to write data through this pointer, causing memory corruption. This vulnerability was not present in MIT releases prior to krb5-1.5. In the krb5-1.5 release, changes related to the implementation of the Database Abstraction Layer introduced this vulnerability. REVISION HISTORY ================ 2007-09-05 CVE-2007-3999 patch revised due to 32-byte overflow 2007-09-04 original release Copyright (C) 2007 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCUAwUBRt8VTqbDgE/zdoE9AQLj2gP3UW0If47aWZqsGtJLaqwhTJg8uqcnKc9e wD5inBGsp1I4nud0OLbom7HrIP3akpCSaK+x5TfkuO9kql50HazeyX5isaU9ntUn 8AHxGZBQxQim7qotUnCPbPea2uj0rFHVPbauNvGGB00SFYDCrVmmTLRdIxqHKL2Y nLyNdGZ/7g== =Bytn -----END PGP SIGNATURE-----