MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5 Security Advisory 2007-001
Original release: 2007-04-03
Last update: 2007-04-03
Topic: telnetd allows login as arbitrary user
Severity: CRITICAL
CVE: CVE-2007-0956
CERT: VU#220816
SUMMARY
=======
The MIT krb5 telnet daemon (telnetd) allows unauthorized login as an
arbitrary user, when presented with a specially crafted username.
Exploitation of this vulnerability is trivial.
This is a vulnerability in an application program; it is not a bug in
the MIT krb5 libraries or in the Kerberos protocol.
IMPACT
======
A user can gain unauthorized access to any account (including root) on
a host running telnetd. Whether the attacker needs to authenticate
depends on the configuration of telnetd on that host.
AFFECTED SOFTWARE
=================
* telnetd in all releases of MIT krb5, up to and including krb5-1.6
FIXES
=====
* The upcoming krb5-1.6.1 release will contain a fix for this
vulnerability.
Prior to that release you may:
* disable telnetd
or
* apply the patch
This patch is also available at
http://web.mit.edu/kerberos/advisories/2007-001-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2007-001-patch.txt.asc
*** src/appl/telnet/telnetd/state.c (revision 19480)
- --- src/appl/telnet/telnetd/state.c (local)
***************
*** 1665,1671 ****
strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
strcmp(varp, "NLSPATH") && /* locale stuff */
strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS")) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify the
environment variable \"%s\"", varp);
- --- 1665,1672 ----
strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
strcmp(varp, "NLSPATH") && /* locale stuff */
strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! strcmp(varp, "IFS") &&
! !strchr(varp, '-')) {
return 1;
} else {
syslog(LOG_INFO, "Rejected the attempt to modify the
environment variable \"%s\"", varp);
*** src/appl/telnet/telnetd/sys_term.c (revision 19480)
- --- src/appl/telnet/telnetd/sys_term.c (local)
***************
*** 1287,1292 ****
- --- 1287,1302 ----
#endif
#if defined (AUTHENTICATION)
if (auth_level >= 0 && autologin == AUTH_VALID) {
+ if (name[0] == '-') {
+ /* Authenticated and authorized to log in to an
+ account starting with '-'? Even if that
+ unlikely case comes to pass, the current login
+ program will not parse the resulting command
+ line properly. */
+ syslog(LOG_ERR, "user name cannot start with '-'");
+ fatal(net, "user name cannot start with '-'");
+ exit(1);
+ }
# if !defined(NO_LOGIN_F)
#if defined(LOGIN_CAP_F)
argv = addarg(argv, "-F");
***************
*** 1377,1387 ****
} else
#endif
if (getenv("USER")) {
! argv = addarg(argv, getenv("USER"));
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
argv = addarg(argv, *cpp);
}
#endif
- --- 1387,1405 ----
} else
#endif
if (getenv("USER")) {
! char *user = getenv("USER");
! if (user[0] == '-') {
! /* "telnet -l-x ..." */
! syslog(LOG_ERR, "user name cannot start with '-'");
! fatal(net, "user name cannot start with '-'");
! exit(1);
! }
! argv = addarg(argv, user);
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
register char **cpp;
for (cpp = environ; *cpp; cpp++)
+ if ((*cpp)[0] != '-')
argv = addarg(argv, *cpp);
}
#endif
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVE: CVE-2007-0956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0956
CERT: VU#220816
http://www.kb.cert.org/vuls/id/220816
ACKNOWLEDGMENTS
===============
This vulnerability was found when attempting to confirm the absence of
a related vulnerability in the Solaris telnetd. [CVE-2007-0882]
DETAILS
=======
The MIT krb5 telnet daemon fails to adequately check the provided
username. A malformed username beginning with "-e" can be interpreted
as a command-line flag by the login.krb5 program, which is executed by
telnetd. This causes login.krb5 to execute part of the BSD rlogin
protocol, where an arbitrary username may be injected, allowing login
as that user without a password or any further authentication.
If the telnet daemon is configured to only permit authenticated login,
then only authenticated users can exploit this vulnerability.
REVISION HISTORY
================
2007-04-03 original release
Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
iQCVAwUBRhKVRabDgE/zdoE9AQIzPAQAj8a7ShfHXVVMOPQhEyoN/Ydnalnfa2xE
cl7UXFSjmkexalD+rymL0upLFw7EVgnYrVazc+AUhDLt1AZmCl5Lj2+WAcl1QYPu
fEGm2SFaS4Eda6NRb6xZ4BeY8zfRWFN2G8Bb5krpGj+oEX/c3Xg8O4oUyiJBYBQi
TXhryamn6Yw=
=aE5C
-----END PGP SIGNATURE-----