###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.
Secure Networks Inc.
Security Advisory
April 29, 1997
Vulnerabilities in Kerberos V
This advisory details two serious vulnerabilities in Kerberos V, which
allow attackers to obtain root access to kerberos clients and servers.
Problem Descriptions:
~~~~~~~~~~~~~~~~~~~~~
Problem 1 :
Kerberos V sites which are running Kerberos IV programs and using the
Kerberos IV compatibility libraries, including certain bones derived
kerberos IV implementations are vulnerable to a localhost buffer
overflow. The problem is exploitable if there are setuid or setgid
programs (such as a Kerberized rlogin) which use kerberos IV functions.
The problem occurs when certain kerberos programs permit the
specification of the kerberos configuration file via an environment
variable, and do not perform proper checking on this environment
variable.
Problem 2 :
Systems running the Kerberos V telnet daemon are vulnerable to a
buffer overflow in the Kerberized telnet daemon. This buffer
overflow can allow remote root access to unauthorized users.
Technical Details
~~~~~~~~~~~~~~~~~
Problem 1 :
This problem stems from a feature in the Kerberos IV compatibility
library under Kerberos V. The problem occurs when incorrect bounds
checking is applied to reading in configuration files which may be
stipulated via an enviroment variable. If a malicous user stipulates
a hand crafted config file they can successfully overflow a buffer and
sieze root privileges if any setuid programs call the problem functions
in the library.
The following code in src/lib/krb4/g_krbhst.c illustrates the problem:
int INTERFACE
krb_get_krbhst(h,r,n)
char *h;
char *r;
int n;
{
FILE *cnffile, *krb__get_cnffile();
char tr[REALM_SZ];
char linebuf[BUFSIZ];
register int i;
cnffile = krb__get_cnffile();
if (!cnffile)
return get_krbhst_default(h, r, n)
if (fscanf(cnffile,"%s",tr) == EOF)
return get_krbhst_default(h, r, n);
Where the krb__get_cnffile() function returns a descriptor to the file
pointed to by the environment variable KRB_CONF, or a descriptor to the
config file in the default location. The same set of problems, with a
different environment variable name, exist in the KTH 0.9.3, OpenBSD 2.0,
and Cygnus R3 bones derived kerberos IV distributions.
Problem 2:
The second problem lies in the kerberized telnet daemon which due to
improper bounds checking of the TERM variable is vulnerable to a remote
buffer overflow.
The following function start_login() in sys_term.c illustrates the
problem :
...
char speed[128];
....
sprintf(speed, "%s/%d", (cp = getenv("TERM")) ? cp : "",
(def_rspeed > 0) ? def_rspeed : 9600);
...
Impact
~~~~~~
Problem 1 :
Setuid programs using kerberos can allow shell users to gain
unauthorized root access to vulnerable systems.
Problem 2 :
Remote individuals can gain root access to hosts running the
Kerberos V telnet daemon.
Vulnerable Systems
~~~~~~~~~~~~~~~~~~
Problem 1 :
Sites running setuid or setgid Kerberos IV programs and using the
Kerberos IV compatibility libraries in Kerberos V 1.0 are vulnerable
to the environment variable config file buffer overflow.
In addition, a number of bones derived kerberos IV implementations
have had environment variable based config file override feature added.
The KTH (version 0.9.3) distribution, the one in OpenBSD 2.0 as well as
OpenBSD-current prior to 27 March 1997, and the Cygnus R3 distribution
all appear to have this problem.
The standard vanilla MIT Kerberos IV code is NOT vulnerable to this
problem.
Problem 2 :
Any system running the Kerberos V 1.0 telnet daemon is vulnerable to
the buffer overflow in it.
Fix information
~~~~~~~~~~~~~~~
The problems described in Kerberos V are fixed by updating your Kerberos
installation to Kerberos V 1.0 patch level 1. Information about obtaining
the update to Kerberos V can be found at
http://web.mit.edu/kerberos/www/krb5-1.0/announce.html
OpenBSD users should update to OpenBSD-current via anoncvs, and recompile
their kerberos libraries.
Cygnus plans to release patches for the Cygnus Kerberos distributions
shortly.
Additional Information
~~~~~~~~~~~~~~~~~~~~~~
If you have any questions about this advisory, feel free to mail me at
davids@secnet.com. Past Secure Networks advisories can be found at
ftp://ftp.secnet.com/pub/advisories, and Secure Networks papers can be
found at ftp://ftp.secnet.com/pub/papers.
This advisory was written by David Sacerdote.
Kerberos is a trademark of the Massachusetts Institute of Technology
(MIT).
Information on obtaining the MIT Kerberos IV and V distributions can be
found at ftp://athena-dist.mit.edu/pub/kerberos
Many thanks to AusCERT <auscert@auscert.org.au>, Mark Eichin
<eichin@cygnus.com>, Theodore Y. Ts'o <tytso@mit.edu> and Thorstern
Lockert <tholo@openbsd.org> for the invaluable assistance and feedback
they provided during the preparation of this advisory.
Feel free to send responses and commments to sni@secnet.com. If you
should wish to encrypt such traffic, please use the Secure Networks Inc.
key:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM03n
27Tl3s+VYMi5AQHdGwP+N3hhILzzhSvhx1gj6ZElgsLa7Q1P3cTlc/Xqx50/wkcX
qIwiPudH+9UHvpL8fUNaHc9iZf3y8YZz0HWz56Vm5SG7uBfB/ksq4x04pQ65dQ1m
v51DYCvLG9u0jL4hC3Mz9WvIMANXqOUlAhuU1iy0wM41joE8aHdh2jsLHlB5qlSJ
AJUDBRAzTlbK/3eiMPDVSG0BAcTNA/9eF0X4Ei8LM4CXFW7JTB5vwXxerR6FmKI8
0JXt6KTrjGBzTfBrDGUZHNakPELjQPQI+fqg6hKJ7Ro1eSL4QbtX2BTO+wIWoLJG
hQmccKleuEK5N9vFgzvPTRknfkbqL1Ta7g3Z9tE8TQhFbj0x4yNFAPB/hOhVvY3s
YOkUx4T12A==
=ljNl
- -----END PGP PUBLIC KEY BLOCK-----
Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.
Kerberos sources distributed in this advisory fall under some or all of
the following license(s):
Copyright (C) 1996 by the Massachusetts Institute of Technology.
All rights reserved.
Export of this software from the United States of America may require
a specific license from the United States Government. It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission. M.I.T. makes no representations about the suitability of
this software for any purpose. It is provided "as is" without express
or implied warranty.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright MIT, Cygnus Support,
OpenVision, Oracle, Sun Soft, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
(MIT). No commercial use of these trademarks may be made without
prior written permission of MIT.
"Commercial use" means use of a name in a product or other for-profit
manner. It does NOT prevent a commercial firm from referring to the
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in kadmin/create,
kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
of lib/rpc:
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
WARNING: Retrieving the OpenVision Kerberos Administration system
source code, as described below, indicates your acceptance of the
following terms. If you do not agree to the following terms, do not
retrieve the OpenVision Kerberos administration system.
You may freely use and distribute the Source Code and Object Code
compiled from it, with or without modification, but this Source
Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
OTHER REASON.
OpenVision retains all copyrights in the donated Source Code. OpenVision
also retains copyright to derivative works of the Source Code, whether
created by OpenVision or by a third party. The OpenVision copyright
notice must be preserved if derivative works are made based on the
donated Source Code.
OpenVision Technologies, Inc. has donated this Kerberos
Administration system to MIT for inclusion in the standard
Kerberos 5 distribution. This donation underscores our
commitment to continuing Kerberos technology development
and our gratitude for the valuable work which has been
performed by MIT and the Kerberos community.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM2YB5LgIhFKeVQANAQGJgQQAqePoUOiUJ4R2TnVKMORGKs9KQNDKFh3z
xr0XEP2pJKTQPzJEnP4t/V7a65ZJp6O2AYW7vpVC3iZcdgeanQgl6qA0HVbt+7XR
PX3YNNMCEANxdHriJu+g0/pgSQBSDTZb+DCpURYibWuN4ngPUNXFqSGklXREUfO2
eFyRZPgKQzc=
=vYmT
-----END PGP SIGNATURE-----