MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MIT krb5 Security Advisory 2007-005
Original release: 2007-06-26
Last update: 2007-06-26
Topic: kadmind vulnerable to buffer overflow
Severity: CRITICAL
CVE: CVE-2007-2798
CERT: VU#554257
SUMMARY
=======
The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a stack buffer overflow.
Exploitation of overflows of stack buffers is known to be simple. We
have received a proof-of-concept exploit which may invoke a shell, but
we believe that this exploit is not publicly circulated.
This is a bug in kadmind in MIT krb5. It is not a bug in the Kerberos
protocol.
IMPACT
======
An authenticated remote user may be able to cause a host running
kadmind to execute arbitrary code.
Successful exploitation can compromise the Kerberos key database and
host security on the KDC host. (kadmind typically runs as root.)
Unsuccessful exploitation attempts will likely result in kadmind
crashing.
AFFECTED SOFTWARE
=================
* kadmind from MIT releases up to and including krb5-1.6.1
FIXES
=====
* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4
maintenance release, will contain fixes for this vulnerability.
Prior to that release you may:
* apply the patch
This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite.
The krb5-1.6.1 and krb5-1.5.3 releases already contains the
prerequisite patch.
This patch is also available at
http://web.mit.edu/kerberos/advisories/2007-005-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc
*** src/kadmin/server/server_stubs.c (revision 20024)
- --- src/kadmin/server/server_stubs.c (local)
***************
*** 545,557 ****
static generic_ret ret;
char *prime_arg1,
*prime_arg2;
- - char prime_arg[BUFSIZ];
gss_buffer_desc client_name,
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
char *errmsg;
xdr_free(xdr_generic_ret, &ret);
- --- 545,558 ----
static generic_ret ret;
char *prime_arg1,
*prime_arg2;
gss_buffer_desc client_name,
service_name;
OM_uint32 minor_stat;
kadm5_server_handle_t handle;
restriction_t *rp;
char *errmsg;
+ size_t tlen1, tlen2, clen, slen;
+ char *tdots1, *tdots2, *cdots, *sdots;
xdr_free(xdr_generic_ret, &ret);
***************
*** 572,578 ****
ret.code = KADM5_BAD_PRINCIPAL;
goto exit_func;
}
! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
- --- 573,586 ----
ret.code = KADM5_BAD_PRINCIPAL;
goto exit_func;
}
! tlen1 = strlen(prime_arg1);
! trunc_name(&tlen1, &tdots1);
! tlen2 = strlen(prime_arg2);
! trunc_name(&tlen2, &tdots2);
! clen = client_name.length;
! trunc_name(&clen, &cdots);
! slen = service_name.length;
! trunc_name(&slen, &sdots);
ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
***************
*** 590,597 ****
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! log_unauth("kadm5_rename_principal", prime_arg,
! &client_name, &service_name, rqstp);
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
- --- 598,612 ----
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
! krb5_klog_syslog(LOG_NOTICE,
! "Unauthorized request: kadm5_rename_principal, "
! "%.*s%s to %.*s%s, "
! "client=%.*s%s, service=%.*s%s, addr=%s",
! tlen1, prime_arg1, tdots1,
! tlen2, prime_arg2, tdots2,
! clen, client_name.value, cdots,
! slen, service_name.value, sdots,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
} else {
ret.code = kadm5_rename_principal((void *)handle, arg->src,
arg->dest);
***************
*** 600,607 ****
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL,
ret.code);
! log_done("kadm5_rename_principal", prime_arg, errmsg,
! &client_name, &service_name, rqstp);
}
free_server_handle(handle);
free(prime_arg1);
- --- 615,629 ----
else
errmsg = krb5_get_error_message(handle ? handle->context : NULL,
ret.code);
! krb5_klog_syslog(LOG_NOTICE,
! "Request: kadm5_rename_principal, "
! "%.*s%s to %.*s%s, %s, "
! "client=%.*s%s, service=%.*s%s, addr=%s",
! tlen1, prime_arg1, tdots1,
! tlen2, prime_arg2, tdots2, errmsg,
! clen, client_name.value, cdots,
! slen, service_name.value, sdots,
! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr));
}
free_server_handle(handle);
free(prime_arg1);
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVE: CVE-2007-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798
CERT: VU#554257
http://www.kb.cert.org/vuls/id/554257
ACKNOWLEDGMENTS
===============
We thank iDefense for the initial notification. iDefense credits an
anonymous discoverer.
DETAILS
=======
The kadmind code which performs the principal renaming operation
passes unchecked string arguments to a sprintf() call which has a
fixed-size stack buffer as its destination. These strings are the old
and new principal names passed to the rename operation. The attacker
needs to authenticate to kadmind to perform this attack, but no
administrative privileges are required because the vulnerable code
executes prior to privilege verification.
REVISION HISTORY
================
2007-06-26 original release
Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)
iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y
NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI
42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r
Xfd3cRNQogQ=
=JE8k
-----END PGP SIGNATURE-----