Search This Blog

Wednesday, June 27, 2007

[UNIX] Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow
Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.mit.edu/afs/athena/astaff/project/kerberos/> Kerberos is "a
network authentication protocol used in client-server systems to provide
user authentication by using a ticket-based system. kadmind is the
Kerberos administration server and is used to configure principals and
policies on the Kerberos server, such as changing a password". Remote
exploitation of a buffer overflow vulnerability within MIT Kerberos
kadmind allows attackers to execute arbitrary code with the privileges of
the running service, usually root.

DETAILS

Vulnerable Systems:
* MIT Kerberos version 1.5-21
* MIT Kerberos version version 1.5.3
* MIT Kerberos version 1.6.1

Immune Systems:
*

The vulnerability specifically exists within the code responsible for
handling requests to rename principals. The rename_principal_2_svc
function fails to properly bounds-check user-supplied data before copying
it to a fixed-size stack buffer. The vulnerable code is shown below.

542 generic_ret *
543 rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
544 {
545 static generic_ret ret;
546 char *prime_arg1,
547 *prime_arg2;
548 char prime_arg[BUFSIZ];
...
570 if (krb5_unparse_name(handle->context, arg->src, &prime_arg1) ||
571 krb5_unparse_name(handle->context, arg->dest, &prime_arg2))
{
572 ret.code = KADM5_BAD_PRINCIPAL;
573 goto exit_func;
574 }
575 sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);

On lines 570 and 571 attacker supplied data is extracted from the kadmind
server context. The buffer overflow occurs on line 575 when concatenating
the source and destination principal names with the static text " to ".

Analysis:
Exploitation allows attackers to execute arbitrary code with the
privileges of the running service, usually root.

Although the functionality where the vulnerability lies is designed to
require administrator privileges, the problem actually occurs prior to
credential verification. As a result, only a valid user session is
required to exploit this vulnerability.

The kadmind server runs on the master Kerberos server, which holds the KDC
principal and policy database. As such, a compromise of this server could
lead to a compromise of multiple hosts that use the server for
authentication.

It should be noted that while Fedora CORE 6 was used for testing, code
execution is not possible as it has been compiled with the
"FORTIFY_SOURCE" compiler flag.

Vendor response:
The MIT Kerberos team has made patches available to address this
vulnerability. For more information consult their advisory at the
following URL.
<http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-005.txt>

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-005.txt

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798>
CVE-2007-2798

Disclosure timeline:
05/15/2007 - Initial vendor notification
05/15/2007 - Initial vendor response
06/26/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by <mailto:labs-no-reply@idefense.com>
iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=547

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: