<<< Date Index >>>     <<< Thread Index >>>

MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 MIT krb5 Security Advisory 2007-001

Original release: 2007-04-03
Last update: 2007-04-03

Topic: telnetd allows login as arbitrary user

Severity: CRITICAL

CVE: CVE-2007-0956
CERT: VU#220816

SUMMARY
=======

The MIT krb5 telnet daemon (telnetd) allows unauthorized login as an
arbitrary user, when presented with a specially crafted username.
Exploitation of this vulnerability is trivial.

This is a vulnerability in an application program; it is not a bug in
the MIT krb5 libraries or in the Kerberos protocol.

IMPACT
======

A user can gain unauthorized access to any account (including root) on
a host running telnetd.  Whether the attacker needs to authenticate
depends on the configuration of telnetd on that host.

AFFECTED SOFTWARE
=================

* telnetd in all releases of MIT krb5, up to and including krb5-1.6

FIXES
=====

* The upcoming krb5-1.6.1 release will contain a fix for this
  vulnerability.

Prior to that release you may:

* disable telnetd

or

* apply the patch

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2007-001-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2007-001-patch.txt.asc

*** src/appl/telnet/telnetd/state.c     (revision 19480)
- --- src/appl/telnet/telnetd/state.c   (local)
***************
*** 1665,1671 ****
            strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
            strcmp(varp, "NLSPATH") && /* locale stuff */
            strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
!           strcmp(varp, "IFS")) {
                return 1;
        } else {
                syslog(LOG_INFO, "Rejected the attempt to modify the 
environment variable \"%s\"", varp);
- --- 1665,1672 ----
            strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
            strcmp(varp, "NLSPATH") && /* locale stuff */
            strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
!           strcmp(varp, "IFS") &&
!           !strchr(varp, '-')) {
                return 1;
        } else {
                syslog(LOG_INFO, "Rejected the attempt to modify the 
environment variable \"%s\"", varp);
*** src/appl/telnet/telnetd/sys_term.c  (revision 19480)
- --- src/appl/telnet/telnetd/sys_term.c        (local)
***************
*** 1287,1292 ****
- --- 1287,1302 ----
  #endif
  #if   defined (AUTHENTICATION)
        if (auth_level >= 0 && autologin == AUTH_VALID) {
+               if (name[0] == '-') {
+                   /* Authenticated and authorized to log in to an
+                      account starting with '-'?  Even if that
+                      unlikely case comes to pass, the current login
+                      program will not parse the resulting command
+                      line properly.  */
+                   syslog(LOG_ERR, "user name cannot start with '-'");
+                   fatal(net, "user name cannot start with '-'");
+                   exit(1);
+               }
  # if  !defined(NO_LOGIN_F)
  #if   defined(LOGIN_CAP_F)
                argv = addarg(argv, "-F");
***************
*** 1377,1387 ****
        } else
  #endif
        if (getenv("USER")) {
!               argv = addarg(argv, getenv("USER"));
  #if   defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
                {
                        register char **cpp;
                        for (cpp = environ; *cpp; cpp++)
                                argv = addarg(argv, *cpp);
                }
  #endif
- --- 1387,1405 ----
        } else
  #endif
        if (getenv("USER")) {
!               char *user = getenv("USER");
!               if (user[0] == '-') {
!                   /* "telnet -l-x ..." */
!                   syslog(LOG_ERR, "user name cannot start with '-'");
!                   fatal(net, "user name cannot start with '-'");
!                   exit(1);
!               }
!               argv = addarg(argv, user);
  #if   defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
                {
                        register char **cpp;
                        for (cpp = environ; *cpp; cpp++)
+                           if ((*cpp)[0] != '-')
                                argv = addarg(argv, *cpp);
                }
  #endif

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CVE-2007-0956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0956

CERT: VU#220816
http://www.kb.cert.org/vuls/id/220816

ACKNOWLEDGMENTS
===============

This vulnerability was found when attempting to confirm the absence of
a related vulnerability in the Solaris telnetd.  [CVE-2007-0882]

DETAILS
=======

The MIT krb5 telnet daemon fails to adequately check the provided
username.  A malformed username beginning with "-e" can be interpreted
as a command-line flag by the login.krb5 program, which is executed by
telnetd.  This causes login.krb5 to execute part of the BSD rlogin
protocol, where an arbitrary username may be injected, allowing login
as that user without a password or any further authentication.

If the telnet daemon is configured to only permit authenticated login,
then only authenticated users can exploit this vulnerability.

REVISION HISTORY
================

2007-04-03      original release

Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRhKVRabDgE/zdoE9AQIzPAQAj8a7ShfHXVVMOPQhEyoN/Ydnalnfa2xE
cl7UXFSjmkexalD+rymL0upLFw7EVgnYrVazc+AUhDLt1AZmCl5Lj2+WAcl1QYPu
fEGm2SFaS4Eda6NRb6xZ4BeY8zfRWFN2G8Bb5krpGj+oEX/c3Xg8O4oUyiJBYBQi
TXhryamn6Yw=
=aE5C
-----END PGP SIGNATURE-----