MITKRB-SA-2006-001: multiple local privilege escalation vulnerabilities
Sachin Punadikar
punadikar.sachin at gmail.com
Mon Aug 14 08:07:13 EDT 2006
Hi Tom,
I implemented the changes suggested by you for "MIT krb5 Security Advisory
2006-001" in the ksu utility. I am always observing below message when I
exit from the ksu shell. I tested it on AIX and Linux. Behavior is same.
------------------------------------------
# ksu tester
Changing uid to tester (333)
# exit
exit
ksu: Operation not permitted while returning to source uid for destroying
ccache
-------------------------------------------
Code study shows that this is the new message being added for the security
advisory 2006-001. Further I found out that, from the sweep_up function,
krb5_seteuid(0) always fails. Ands that why I am getting this message. As a
side effect it leaves around the cred cache file, exits without destroying
it.
--- src/clients/ksu/main.c-----
if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) {
com_err(prog_name, errno,
"while returning to source uid for destroying ccache");
exit(1);
}
------------------------------------------
Is this a expected behavior? Could you please provide inputs regarding why
we are calling krb5_seteuid(0) ? Is it supposed to succeed at any point of
time ? If not is it good idea to remove this call ?
Awaiting reply.
- Sachin.
On 8/9/06, Tom Yu <tlyu at mit.edu> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> MIT krb5 Security Advisory 2006-001
>
> Original release: 2006-08-08
>
> Topic: multiple local privilege escalation vulnerabilities
>
> Severity: serious
>
> SUMMARY
> =======
>
> In certain application programs packaged in the MIT Kerberos 5 source
> distribution, calls to setuid() and seteuid() are not always checked
> for success. A local user could exploit one of these vulnerabilities
> to result in privilege escalation. No exploit code is known to exist
> at this time. It is believed that the primary risk is to Linux
> systems, due to the behavior of their implementation of the setuid()
> and seteuid() system calls.
>
> IMPACT
> ======
>
> Actual impact depends on implementation details within a specific
> operating system. Vulnerabilities result when the OS implementations
> of setuid() or seteuid() can fail due to resource exhaustion when
> changing to an unprivileged user ID. We believe that only unchecked
> calls to setuid(), and not calls to seteuid(), are vulnerable on
> Linux.
>
> On AIX, Kerberos applications provided by IBM are not vulnerable. If,
> in place of or in addition to IBM-provided Kerberos applications, MIT
> krb5 code is installed on an AIX system, the affected MIT krb5
> applications are vulnerable to the setuid() issues listed in
> CVE-2006-3083. We believe that no other operating systems are
> affected.
>
> [CVE-2006-3083, VU#580124] The following vulnerabilities may result
> from unchecked calls to setuid(), and are believed to only exist on
> Linux and AIX:
>
> * Unchecked calls to setuid() in krshd may allow a local privilege
> escalation leading to execution of programs as root.
>
> * Unchecked calls to setuid() in the v4rcp may allow a local privilege
> escalation leading to reading, writing, or creating files as root.
> v4rcp is the remote end of a krb4-authenticated rcp operation, but
> may be executed directly by an attacker, as it is a setuid program.
>
> [CVE-2006-3084, VU#401660] The following vulnerabilities may result
> from unchecked calls to seteuid(). These vulnerabilities are not yet
> known to exist on any operating system:
>
> * Unchecked calls to seteuid() in ftpd may allow a local privilege
> escalation leading to reading, writing, or creating files as root.
>
> * Unchecked calls to seteuid() in the ksu program may allow a local
> privilege escalation resulting in filling a file with null bytes as
> root and then deleting it (the "kdestroy" operation).
>
> AFFECTED SOFTWARE
> =================
>
> * The above-listed programs are vulnerable in all releases of MIT
> krb5, up to and including krb5-1.5. The krb5-1.5.1 and krb5-1.4.4
> releases will contain fixes for these problems.
>
> FIXES
> =====
>
> * The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes
> for these vulnerabilities.
>
> * Disable krshd and ftpd, and remove the setuid bit from the ksu
> binary and the v4rcp binary.
>
> * For the krb5-1.5 release, apply the patch at
>
> http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt
>
> A PGP-signed version of this patch is at
>
> http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt.asc
>
> This patch was generated against the krb5-1.5 release, and may apply
> to earlier releases with some fuzz. The patch also updates some
> calls to other setuid-like system calls on less-common operating
> systems, though these calls are less likely to be vulnerable.
>
> * For the krb5-1.4.3 release, apply the patch at
>
> http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt
>
> A PGP-signed version of this patch is at
>
> http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt
>
> This patch was generated against the krb5-1.4.3 release, and may apply
> to earlier releases with some fuzz. The patch also updates some
> calls to other setuid-like system calls on less-common operating
> systems, though these calls are less likely to be vulnerable.
>
> REFERENCES
> ==========
>
> This announcement and related security advisories may be found on the
> MIT Kerberos security advisory page at:
>
> http://web.mit.edu/kerberos/advisories/index.html
>
> The main MIT Kerberos web page is at:
>
> http://web.mit.edu/kerberos/index.html
>
> CVE: CVE-2006-3083
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083
>
> CERT: VU#580124
> http://www.kb.cert.org/vuls/id/580124
>
> CVE: CVE-2006-3084
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084
>
> CERT: VU#401660
> http://www.kb.cert.org/vuls/id/401660
>
> ACKNOWLEDGMENTS
> ===============
>
> Thanks to Michael Calmer and Marcus Meissner at SUSE for reporting
> this problem.
>
> Thanks to Shiva Persaud at IBM for information on AIX.
>
> DETAILS
> =======
>
> Typically, setuid(), seteuid(), and similar system calls cannot fail
> except in cases of inadequate privilege or system misconfiguration.
> Unlike other operating systems, Linux and AIX system calls which
> change the real user ID can fail if the change would cause the target
> user ID to exceed its quota of allowed processes. A local attacker
> may be able to exhaust a process quota in a way which artificially
> creates such a failure condition. This may result in privilege
> escalation when a program making an unchecked call to one of these
> system calls expects to continue execution with reduced privilege
> following the affected call, but instead continues to run as a
> privileged user.
>
> Specific places where various system calls are not checked include:
>
> appl/bsd/krcp.c: setreuid (uncompiled code), setuid (irrelevant
> because not installed setuid)
> appl/bsd/krshd.c: setuid
> appl/bsd/krsh.c: setuid (irrelevant because not installed setuid)
> appl/bsd/v4rcp.c: setuid
> appl/gssftp/ftpd/ftpd.c: seteuid
> client/ksu/main.c: seteuid
> lib/krb4/kuserok.c: seteuid (but likely irrelevant)
>
> REVISION HISTORY
> ================
>
> 2006-08-08 original release
>
> Copyright (C) 2006 Massachusetts Institute of Technology
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (SunOS)
>
> iQCVAwUBRNjfg6bDgE/zdoE9AQLnKQP8DAikPgsCxRiOVj2QnX66VnBl2Nsm7irs
> NeO/8yiP9QpliPk4h/6p9Q1Wc70H/C4ICWgufVDiIHbnUc4MGS4GVUzZtvQelrC1
> 4WTZyxLFfEZQzbNk6FUBw3W0P38IrUX2FQsLTp9R4S3iWFMI5Udkb5XX60zwo9w2
> 79rpIw5g8vY=
> =x/vF
> -----END PGP SIGNATURE-----
> _______________________________________________
> kerberos-announce mailing list
> kerberos-announce at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos-announce
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
More information about the Kerberos
mailing list