MITKRB5-SA-2004-002: double-free vulnerabilities
Tom Yu
tlyu at MIT.EDU
Tue Aug 31 14:29:57 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5 Security Advisory 2004-002
Original release: 2004-08-31
Topic: double-free vulnerabilities in KDC and libraries
Severity: CRITICAL
SUMMARY
=======
The MIT Kerberos 5 implementation's Key Distribution Center (KDC)
program contains a double-free vulnerability that potentially allows a
remote attacker to execute arbitrary code. Compromise of a KDC host
compromises the security of the entire authentication realm served by
the KDC. Additionally, double-free vulnerabilities exist in MIT
Kerberos 5 library code, making client programs and application
servers vulnerable.
Exploitation of double-free bugs is believed to be difficult. No
exploits are known to exist for these vulnerabilities.
IMPACT
======
* A unauthenticated remote attacker can potentially execute arbitrary
code on a KDC host, compromising an entire Kerberos
realm. [CAN-2004-0642]
* A remote attacker can potentially execute arbitrary code on a host
running krb524d, possibly compromising an entire Kerberos realm if
the host is a KDC host. [CAN-2004-0772]
* An authenticated attacker can also potentially execute arbitrary
code on hosts running vulnerable services. [CAN-2004-0643]
* An attacker impersonating a legitimate KDC or application server can
potentially execute arbitrary code on a client host while the client
is authenticating. [CAN-2004-0642]
AFFECTED SOFTWARE
=================
* KDC software from all releases of MIT Kerberos 5 up to and including
krb5-1.3.4. [CAN-2004-0642]
* The krb524d program from krb5-1.2.8 and later. The krb524d present
in earlier releases is vulnerable if it has been patched to disable
krb4 cross-realm functionality. [CAN-2004-0772]
* Applications calling the krb5_rd_cred() function in releases prior
to krb5-1.3.2. Such applications in the MIT krb5 releases include
the remote login daemons (krshd, klogind, and telnetd) and the FTP
daemon. The krb5_rd_cred() function decrypts and decodes forwarded
Kerberos credentials. Third-party applications calling this
function directly or indirectly (by means of the GSSAPI or other
libraries) are vulnerable. [CAN-2004-0643]
* Client code from all releases of MIT Kerberos 5 up to and including
krb5-1.3.4. Third-party applications directly or indirectly calling
client library functions may also be vulnerable. [CAN-2004-0642]
FIXES
=====
* The upcoming krb5-1.3.5 release will contain fixes for these
problems.
* Apply the appropriate patch or patches referenced below, and rebuild
the software.
- If you are running krb5-1.3 through krb5-1.3.4, apply
2004-002-patch_1.3.4.txt.
- If you are running krb5-1.3 through krb5-1.3.1, apply
2004-002-patch_1.3.1.txt.
- If you are running krb5-1.2.8, apply
2004-002-patch_1.2.8.txt.
- Things become more complicated if you are running krb5-1.2 through
krb5-1.2.7. The correct set of patches to apply will depend on
whether you have applied the patches to disable krb4 cross-realm
functionality [MITKRB5-SA-2003-004].
+ If you are running krb5-1.2.6 through krb5-1.2.7, and have
applied the patches to disable krb4 cross-realm functionality,
apply 2004-002-patch_1.2.8.txt.
+ If you are running krb5-1.2 through krb5-1.2.5, and have applied
the patches to disable krb4 cross-realm functionality, apply
2004-002-patch_1.2.7.txt, followed by
2004-002-k524d_patch_1.2.5.txt.
+ If you are running krb5-1.2 through krb5-1.2.7, and have not
applied the patches to disable krb4 cross-realm functionality,
apply 2004-002-patch_1.2.7.txt.
Summary chart of patches to apply for releases krb5-1.2 through krb5-1.2.7:
| patched for 2003-004 | not patched for 2003-004
-----------+--------------------------------+--------------------------
krb5-1.2.7 | |
-----------+ 2004-002-patch_1.2.8.txt |
krb5-1.2.6 | |
-----------+--------------------------------+ 2004-002-patch_1.2.7.txt
krb5-1.2.5 | 2004-002-patch_1.2.7.txt |
through | and |
krb5-1.2 | 2004-002-k524d_patch_1.2.5.txt |
Patches available:
* Patch for krb5-1.3.4 (2004-002-patch_1.3.4.txt)
* Patch for krb5-1.3.1 (2004-002-patch_1.3.1.txt)
* Patch for krb5-1.2.8 (2004-002-patch_1.2.8.txt)
* Patch for krb5-1.2.7 (2004-002-patch_1.2.7.txt)
* Patch for krb524d in krb5-1.2.5 which has been previously patched
to disable krb4 cross-realm (2004-002-k524d_patch_1.2.5.txt)
Note: Each patch are generated against the specific release noted
above. The patches may apply with some offset against other
compatible releases listed above.
2004-002-patch_1.3.4.txt
========================
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt.asc
2004-002-patch_1.3.1.txt
========================
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt.asc
2004-002-patch_1.2.8.txt
========================
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.8.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-patch_128.txt.asc
2004-002-patch_1.2.7.txt
========================
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt.asc
2004-002-k524d_patch_1.2.5.txt
==============================
http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt.asc
REFERENCES
==========
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CERT VU#795632
http://www.kb.cert.org/vuls/id/795632
CVE CAN-2004-0642
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
KDC and client libraries double-free on error conditions in
MIT Kerberos 5 releases krb5-1.3.4 and earlier, allowing
unauthenticated remote attackers to execute arbitrary code
CERT VU#866472
http://www.kb.cert.org/vuls/id/866472
CVE CAN-2004-0643
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
krb5_rd_cred() double-frees on error conditions in MIT
Kerberos 5 releases krb5-1.3.1 and earlier, allowing
authenticated attackers to execute arbitrary code
VU#350792
http://www.kb.cert.org/vuls/id/350792
CVE CAN-2004-0772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772
krb524d in krb5-1.2.8 and later double-frees on error
conditions, allowing remote attackers to execute arbitrary
code. Earlier releases patched for the krb4 protocol
vulnerability [MITKRB5-SA-2003-004] are also vulnerable.
ACKNOWLEDGMENTS
===============
Thanks to Will Fiveash and Nico Williams at Sun for finding some of
these vulnerabilities and for providing initial patches.
Thanks to Marc Horowitz for discovering the krb524d vulnerability.
Thanks to Nalin Dahyabhai for providing a corrected patch for krb524d
in releases krb5-1.2 through krb5-1.2.5 in cases where krb524d has
been patched to disable krb4 cross-realm functionality.
Thanks to Joseph Galbraith and John Hawkinson, who both independently
discovered the double-free in krb5_rd_cred() which was corrected in
release krb5-1.3.2.
DETAILS
=======
In the MIT krb5 library, in all releases up to and including
krb5-1.3.4, ASN.1 decoder functions and their callers do not use a
consistent set of memory management conventions. The callers expect
the decoders to allocate memory. The callers typically have
error-handling code which frees memory allocated by the ASN.1 decoders
if pointers to the allocated memory are non-null. Upon encountering
error conditions, the ASN.1 decoders themselves free memory which they
have allocated, but do not null the corresponding pointers. When some
library functions receive errors from the ASN.1 decoders, they attempt
to pass the non-null pointer (which points to freed memory) to free(),
causing a double-free.
In all releases of MIT krb5 up to and including krb5-1.3.4, cleanup
code in the KDC frees memory returned by ASN.1 decoders. This cleanup
code only frees memory pointed to by non-null pointers, but if an
ASN.1 decoder returns an error, the cleanup code will free memory
previously freed by the decoder.
Implementations of krb5_rd_cred() prior to the krb5-1.3.2 release
contained code to explicitly free the buffer returned by the ASN.1
decoder function decode_krb5_enc_cred_part() when the decoder returns
an error. This is another double-free, since the decoder would itself
free the buffer on error. Since decode_krb5_enc_cred_part() does not
get called unless the decryption of the encrypted part of the KRB-CRED
is successful, the attacker needs to have authenticated. This code
was corrected in the krb5-1.3.2 release.
The patch (introduced in krb5-1.2.8 and present in all subsequent
releases) for disabling krb4 cross-realm authentication in krb524d
introduced a double-free vulnerability. If handle_classic_v4() denies
the conversion of a cross-realm ticket, v5tkt->enc_part2 gets freed
but not nulled, so do_connection() double-frees many things when it
subsequently calls krb5_free_ticket().
REVISION HISTORY
================
2004-08-31 original release
Copyright (C) 2004 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)
iQCVAwUBQTTAUabDgE/zdoE9AQHSFwP/S0bIduge4dDmZiTlDEUa5L1CjESpAq3O
905Ru47xTmKqKpCC6cpIxpFqeXZAZkc8HzIp4kaZUNJ3+cik2Mg+YSdP5mM9ys67
geZZoF6pufgh9Ym4gMK6YJjYxsJgSrEbcpgrYv710GEy1SqsE2o7O0Y5WSYv3Df+
8Nz22+QoVzw=
=dpRb
-----END PGP SIGNATURE-----
More information about the kerberos-announce
mailing list