MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow

Tom Yu tlyu at MIT.EDU
Tue Jun 26 14:01:27 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 MIT krb5 Security Advisory 2007-005

Original release: 2007-06-26
Last update: 2007-06-26

Topic: kadmind vulnerable to buffer overflow

Severity: CRITICAL

CVE: CVE-2007-2798
CERT: VU#554257

SUMMARY
=======

The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a stack buffer overflow.

Exploitation of overflows of stack buffers is known to be simple.  We
have received a proof-of-concept exploit which may invoke a shell, but
we believe that this exploit is not publicly circulated.

This is a bug in kadmind in MIT krb5.  It is not a bug in the Kerberos
protocol.

IMPACT
======

An authenticated remote user may be able to cause a host running
kadmind to execute arbitrary code.

Successful exploitation can compromise the Kerberos key database and
host security on the KDC host.  (kadmind typically runs as root.)
Unsuccessful exploitation attempts will likely result in kadmind
crashing.

AFFECTED SOFTWARE
=================

* kadmind from MIT releases up to and including krb5-1.6.1

FIXES
=====

* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4
  maintenance release, will contain fixes for this vulnerability.

Prior to that release you may:

* apply the patch

This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite.
The krb5-1.6.1 and krb5-1.5.3 releases already contains the
prerequisite patch.

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2007-005-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc

*** src/kadmin/server/server_stubs.c	(revision 20024)
- --- src/kadmin/server/server_stubs.c	(local)
***************
*** 545,557 ****
      static generic_ret		ret;
      char			*prime_arg1,
  				*prime_arg2;
- -     char			prime_arg[BUFSIZ];
      gss_buffer_desc		client_name,
  				service_name;
      OM_uint32			minor_stat;
      kadm5_server_handle_t	handle;
      restriction_t		*rp;
      char                        *errmsg;
  
      xdr_free(xdr_generic_ret, &ret);
  
- --- 545,558 ----
      static generic_ret		ret;
      char			*prime_arg1,
  				*prime_arg2;
      gss_buffer_desc		client_name,
  				service_name;
      OM_uint32			minor_stat;
      kadm5_server_handle_t	handle;
      restriction_t		*rp;
      char                        *errmsg;
+     size_t			tlen1, tlen2, clen, slen;
+     char			*tdots1, *tdots2, *cdots, *sdots;
  
      xdr_free(xdr_generic_ret, &ret);
  
***************
*** 572,578 ****
  	 ret.code = KADM5_BAD_PRINCIPAL;
  	 goto exit_func;
      }
!     sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
  
      ret.code = KADM5_OK;
      if (! CHANGEPW_SERVICE(rqstp)) {
- --- 573,586 ----
  	 ret.code = KADM5_BAD_PRINCIPAL;
  	 goto exit_func;
      }
!     tlen1 = strlen(prime_arg1);
!     trunc_name(&tlen1, &tdots1);
!     tlen2 = strlen(prime_arg2);
!     trunc_name(&tlen2, &tdots2);
!     clen = client_name.length;
!     trunc_name(&clen, &cdots);
!     slen = service_name.length;
!     trunc_name(&slen, &sdots);
  
      ret.code = KADM5_OK;
      if (! CHANGEPW_SERVICE(rqstp)) {
***************
*** 590,597 ****
      } else
  	 ret.code = KADM5_AUTH_INSUFFICIENT;
      if (ret.code != KADM5_OK) {
! 	 log_unauth("kadm5_rename_principal", prime_arg,
! 		    &client_name, &service_name, rqstp);
      } else {
  	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
  						arg->dest);
- --- 598,612 ----
      } else
  	 ret.code = KADM5_AUTH_INSUFFICIENT;
      if (ret.code != KADM5_OK) {
! 	 krb5_klog_syslog(LOG_NOTICE,
! 			  "Unauthorized request: kadm5_rename_principal, "
! 			  "%.*s%s to %.*s%s, "
! 			  "client=%.*s%s, service=%.*s%s, addr=%s",
! 			  tlen1, prime_arg1, tdots1,
! 			  tlen2, prime_arg2, tdots2,
! 			  clen, client_name.value, cdots,
! 			  slen, service_name.value, sdots,
! 			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
      } else {
  	 ret.code = kadm5_rename_principal((void *)handle, arg->src,
  						arg->dest);
***************
*** 600,607 ****
  	 else
  	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
  
! 	 log_done("kadm5_rename_principal", prime_arg, errmsg,
! 		  &client_name, &service_name, rqstp);
      }
      free_server_handle(handle);
      free(prime_arg1);
- --- 615,629 ----
  	 else
  	     errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code);
  
! 	 krb5_klog_syslog(LOG_NOTICE,
! 			  "Request: kadm5_rename_principal, "
! 			  "%.*s%s to %.*s%s, %s, "
! 			  "client=%.*s%s, service=%.*s%s, addr=%s",
! 			  tlen1, prime_arg1, tdots1,
! 			  tlen2, prime_arg2, tdots2, errmsg,
! 			  clen, client_name.value, cdots,
! 			  slen, service_name.value, sdots,
! 			  inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
      }
      free_server_handle(handle);
      free(prime_arg1);

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CVE-2007-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798

CERT: VU#554257
http://www.kb.cert.org/vuls/id/554257

ACKNOWLEDGMENTS
===============

We thank iDefense for the initial notification.  iDefense credits an
anonymous discoverer.

DETAILS
=======

The kadmind code which performs the principal renaming operation
passes unchecked string arguments to a sprintf() call which has a
fixed-size stack buffer as its destination.  These strings are the old
and new principal names passed to the rename operation.  The attacker
needs to authenticate to kadmind to perform this attack, but no
administrative privileges are required because the vulnerable code
executes prior to privilege verification.

REVISION HISTORY
================

2007-06-26      original release

Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y
NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI
42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r
Xfd3cRNQogQ=
=JE8k
-----END PGP SIGNATURE-----



More information about the kerberos-announce mailing list