MITKRB5-SA-2002-001: Remote root vulnerability in MIT krb5 admin system

Tom Yu tlyu at MIT.EDU
Fri Aug 2 14:28:39 EDT 2002


		 MIT krb5 Security Advisory 2002-001


Topic: Remote root vulnerability in MIT krb5 admin system

Severity: Remote user may be able to gain root access to a KDC host.


There is an integer overflow bug in the SUNRPC-derived RPC library
used by the Kerberos 5 administration system that could be exploited
to gain unauthorized root access to a KDC host.  It is believed that
the attacker needs to be able to authenticate to the kadmin daemon for
this attack to be successful.  No exploits are known to exist yet.


A remote attacker can potentially execute arbitrary code on the KDC
with the privileges of the user running the kadmin daemon (usually
root).  This can lead to compromise of the Kerberos database.


All releases of MIT Kerberos 5, up to and including krb5-1.2.5.


Apply the following patch to src/lib/rpc/xdr_array.c:

Index: xdr_array.c
RCS file: /cvs/krbdev/krb5/src/lib/rpc/xdr_array.c,v
retrieving revision 1.5
diff -c -r1.5 xdr_array.c
*** xdr_array.c	1998/02/14 02:27:23	1.5
- --- xdr_array.c	2002/08/02 17:25:05
*** 75,81 ****
  		return (FALSE);
  	c = *sizep;
! 	if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
  		return (FALSE);
  	nodesize = c * elsize;
- --- 75,82 ----
  		return (FALSE);
  	c = *sizep;
! 	if ((c > maxsize || c > LASTUNSIGNED / elsize)
! 	    && (xdrs->x_op != XDR_FREE)) {
  		return (FALSE);
  	nodesize = c * elsize;

and rebuild your tree.  The patch was generated against krb5-1.2.5;
patches to other releases may apply with some offset.

This patch may also be found at:

The associated detached PGP signature is at:

This announcement and code patches related to it may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:


Thanks to ISS for discovery of the vulnerability.

Thanks to Jeffrey Hutzelman for assistance in discovering the
particulars of this bug.


The xdr_array() decoder computes the value of the NODESIZE variable in
a way that can lead to integer overflow.  An attacker can construct an
XDR encoding that will take advantage of this integer overflow in
order to overflow the allocated heap buffer, depending on the
specifics of the caller of the xdr_array() function.

The uses of xdr_array() in the kadm5 library, which implements the
Kerberos 5 adminstration protocol, are unsafe in an environment where
this bug exists.  A remote user may be able to use the buffer overflow
to execute arbitrary code on the KDC host, possibly leading to
unauthorized root access.  It is believed that the remote user must
first successfully authenticate to the kadmin daemon in order to
exercise this vulnerability, though the user may not need to posess
any special privileges.
Version: GnuPG v1.0.7 (SunOS)

kerberos-announce mailing list
kerberos-announce at

More information about the krbdev mailing list