MIT Kerberos 1.7 krb5kdc SEGV
Tom Yu
tlyu at MIT.EDU
Tue Dec 29 22:32:53 EST 2009
Tom Yu <tlyu at MIT.EDU> writes:
> Jeff Blaine <jblaine at kickflop.net> writes:
>
>> MIT Kerberos 1.7 built on Solaris 10 SPARC
>>
>> Runs fine generally.
>>
>> Got it to crash today when:
>>
>> PuTTY-GSSAPI connecting to a CentOS 5.3 box's sshd (box
>> is a krb5 client and is configured to do krb5 auth via PAM)
>>
>> For more details, ask me specifics please
>>
>> signal SEGV (no mapping at the fault address) in klog_com_err_proc at
>> line 221 in file "logger.c"
>> 221 if ((((unsigned char) *format) > 0) && (((unsigned char)
>> *format) <= 8)) {
>> (dbx) where
>> =>[1] klog_com_err_proc(whoami = 0xffbffe2b "krb5kdc", code =
>> -1765328141, format = (nil), ap = 0xffbfe4a0), line 221 in "logger.c"
>> [2] com_err_va(whoami = 0xff2d1c98 "", code = -1765328141, fmt =
>> (nil), ap = 0xffbfe4a0), line 112 in "com_err.c"
>> [3] kdc_err(call_context = 0x96c73af3, code = -1765328141, fmt =
>> (nil), ...), line 121 in "main.c"
>
> Thanks. This is the topic of a security advisory published today:
>
> http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-003.txt
>
> (It's not a terribly serious vulnerability, but you probably want the
> patch anyway.)
On further reflection, this might only be exploitable if the attacker
has valid credentials (though cross-realm may count), so it's probably
even less serious than the original advisory may indicate. Does
anyone believe otherwise? I will probably revise the advisory to
reflect the downgraded risks.
More information about the krbdev
mailing list