MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow

Edward Beuerlein ebeuerlein at aol.com
Tue Jul 10 16:04:11 EDT 2007 

Hey all,
I tried to apply this patch to our 1.4.3 code base and it fails to
apply(Hunk #1, #2 and #3 fails for server_stubs.c).  Does anyone have
patch code for the two kadmin bugs for 1.4.3 that they are willing to
share with me?? We are hoping to upgrade to 1.5 or 1.6 this year so this
problem will go away:)
Thanks!
-Eddie B.

Russ Allbery wrote:
> Mike Friedman <mikef at ack.berkeley.edu> writes:
> 
>> My system does support vsnprintf(), so, I followed the above
>> advice. Now, I'm faced with having to install 2007-05, which has the
>> full 2007-02 patch as pre-requisite.
> 
>> Any suggestions as to the easiest way to proceed?  I'd like at present
>> to avoid significant testing of a new release if it's likely to have
>> some incompatibilities.  I'm not sure what the issues are between 1.5.3
>> and 1.6.1 in this regard.
> 
>> If I had a version of 2007-05 that fit 1.4.2 with only the 'logger.c'
>> portion of 2007-02 applied, that would, I suppose, be the best I could
>> expect.  What are the chances of that?
> 
> The following patch against 1.4.4 compiles and appears to me to be safe
> provided that your system supports vsnprintf, but I'd be happy to get an
> additional review of that belief:
> 
> === src/kadmin/server/server_stubs.c
> ==================================================================
> --- src/kadmin/server/server_stubs.c    (revision 2543)
> +++ src/kadmin/server/server_stubs.c    (local)
> @@ -472,6 +472,8 @@
>      OM_uint32          minor_stat;
>      kadm5_server_handle_t  handle;
>      restriction_t      *rp;
> +    size_t         tlen1, tlen2, clen, slen;
> +    char           *tdots1, *tdots2, *cdots, *sdots;
>  
>      xdr_free(xdr_generic_ret, &ret);
>  
> @@ -492,7 +494,14 @@
>      ret.code = KADM5_BAD_PRINCIPAL;
>      return &ret;
>      }
> -    sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
> +    tlen1 = strlen(prime_arg1);
> +    trunc_name(&tlen1, &tdots1);
> +    tlen2 = strlen(prime_arg2);
> +    trunc_name(&tlen2, &tdots2);
> +    clen = client_name.length;
> +    trunc_name(&clen, &cdots);
> +    slen = service_name.length;
> +    trunc_name(&slen, &sdots);
>  
>      ret.code = KADM5_OK;
>      if (! CHANGEPW_SERVICE(rqstp)) {
> @@ -510,17 +519,27 @@
>      } else
>      ret.code = KADM5_AUTH_INSUFFICIENT;
>      if (ret.code != KADM5_OK) {
> -    krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal",
> -       prime_arg, client_name.value, service_name.value,
> -       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
> +    krb5_klog_syslog(LOG_NOTICE,
> +             "Unauthorized request: kadm5_rename_principal, "
> +             "%.*s%s to %.*s%s, "
> +             "client=%.*s%s, service=%.*s%s, addr=%s",
> +             tlen1, prime_arg1, tdots1,
> +             tlen2, prime_arg2, tdots2,
> +             clen, client_name.value, cdots,
> +             slen, service_name.value, sdots,
> +             inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
>      } else {
>      ret.code = kadm5_rename_principal((void *)handle, arg->src,
>                         arg->dest);
> -    krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal",
> -       prime_arg, ((ret.code == 0) ? "success" :
> -               error_message(ret.code)), 
> -       client_name.value, service_name.value,
> -       inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
> +    krb5_klog_syslog(LOG_NOTICE,
> +             "Request: kadm5_rename_principal, "
> +             "%.*s%s to %.*s%s, %s, "
> +             "client=%.*s%s, service=%.*s%s, addr=%s",
> +             tlen1, prime_arg1, tdots1,
> +             tlen2, prime_arg2, tdots2, error_message(ret.code),
> +             clen, client_name.value, cdots,
> +             slen, service_name.value, sdots,
> +             inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
>      }
>      free_server_handle(handle);
>      free(prime_arg1);
> === src/kadmin/server/misc.c
> ==================================================================
> --- src/kadmin/server/misc.c    (revision 2558)
> +++ src/kadmin/server/misc.c    (local)
> @@ -171,3 +171,12 @@
>  
>      return kadm5_free_principal_ent(handle->lhandle, &princ);
>  }
> +
> +#define MAXPRINCLEN 125
> +
> +void
> +trunc_name(size_t *len, char **dots)
> +{
> +    *dots = *len > MAXPRINCLEN ? "..." : "";
> +    *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len;
> +}
> === src/kadmin/server/misc.h
> ==================================================================
> --- src/kadmin/server/misc.h    (revision 2558)
> +++ src/kadmin/server/misc.h    (local)
> @@ -45,3 +45,5 @@
>  #ifdef SVC_GETARGS
>  void  kadm_1(struct svc_req *, SVCXPRT *);
>  #endif
> +
> +void trunc_name(size_t *len, char **dots);
> 
> 

-- 

Edward Beuerlein, CISSP
Sr. System Administrator
AOL Operations Security, SysSec
Phone: 703-265-1207
AIM: ebeuerlein

More information about the Kerberos mailing list