krb5-clients/1104: krb5-clients: potential denial of service on multi-user systems
Sylvain Robitaille
syl at alcor.concordia.ca
Wed May 8 15:54:02 EDT 2002
>Number: 1104
>Category: krb5-clients
>Synopsis: potential denial of service on multi-user systems
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed May 8 15:55:00 EDT 2002
>Last-Modified:
>Originator: Sylvain Robitaille
>Organization:
Concordia University, Montreal, Quebec, Canada
----------------------------------------------------------------------
Sylvain Robitaille syl at alcor.concordia.ca
Systems Manager Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
>Release: krb5-1.2.5
>Environment:
System: Linux charlotte 2.2.18 #3 Fri Mar 2 16:34:15 EST 2001 i686 unknown
Architecture: i686
Also: OSF1 clyde V4.0 1091 alpha
and others
>Description:
The Kerberos Credentials Cache created when Kerberos tickets are
obtained is created with a predictable file name, /tmp/krb5cc_$UID
where $UID is the user's numeric id on the system. Obviously it
needs to be this way so that kerberized clients are able to use the
cache file, but on a multi-user system, it introduces a vulnerability
to denial of service.
>How-To-Repeat:
User "syl" is an ordinary user who just wants to authenticate his
Kerberos principle. User "test" maliciously has made sure that syl
cannot create himself a credentials cache:
: charlotte[syl] ~; id
uid=1143(syl) gid=100(iits) groups=100(iits),0(system),...
: charlotte[syl] ~; ls -l /tmp/krb5cc_1143
lrwxrwxrwx 1 test system 9 May 3 15:49 /tmp/krb5cc_1143 -> krb5_link
: charlotte[syl] ~; kinit
Password for syl at CONCORDIA.CA:
kinit(v5): Internal file credentials cache error when initializing cache
: charlotte[syl] ~; klist
klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_1143)
: charlotte[syl] ~; ls -l /tmp/krb5cc_1143
lrwxrwxrwx 1 test system 9 May 3 15:49 /tmp/krb5cc_1143 -> krb5_link
>Fix:
I doubt this is a perfect solution, in the general case, but I'm
sure the development team will be able to put together something
that's more appropriate. The proposed solution does incorporate
the use of snprintf(), which may not be available on all systems.
What follows is a patch, as I have applied to my own systems (Linux
and OSF with external snprintf library) to work around this problem,
by placing the credentials cache in the user's home directory:
--- /local/pkg/kerberos/kerberos-1.2.5/src/lib/krb5/os/ccdefname.c.original Thu Feb 28 12:11:41 2002
+++ /local/pkg/kerberos/kerberos-1.2.5/src/lib/krb5/os/ccdefname.c Mon May 6 15:56:54 2002
@@ -222,9 +222,38 @@
#else
#if !(defined(_MSDOS) || defined(_WIN32))
+#ifndef USE_TMPDIR_CC
+#include <pwd.h>
+#include <sys/types.h>
+#endif
+/*
+ * 2002/05/06 Sylvain Robitaille: In order to prevent denial of service
+ * on multi-user systems, we'll place the credentials cache
+ * in a hidden file in the user's home directory.
+ */
static krb5_error_code get_from_os(char *name_buf, int name_size)
{
+#ifndef USE_TMPDIR_CC
+ struct passwd *pw;
+
+ pw = getpwuid(getuid());
+ if(!pw) {
+ /* Couldn't find user's password file entry? */
+ sprintf(stderr, "ERROR: No password file entry found for uid %d\n",
+ getuid());
+ /*
+ * We need to exit right here, since our return value is
+ * ultimately not sufficiently checked.
+ */
+ exit(-1);
+ }
+ /* Ok, we have a password file entry for this user */
+ /* name_buf comes from a 1024-byte array in krb5_cc_set_default_name(). */
+ snprintf(name_buf, 1024, "FILE:%s/.krb5cc_%d",
+ pw->pw_dir, pw->pw_uid);
+#else
sprintf(name_buf, "FILE:/tmp/krb5cc_%d", getuid());
+#endif
return 0;
}
#endif
>Audit-Trail:
>Unformatted:
More information about the krb5-bugs
mailing list