In association with heise online

28 June 2007, 07:58

Three critical bugs in Kerberos

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In two separate advisories, MIT has disclosed three critical vulnerabilities in Kerberos. The first advisory documents two vulnerabilities in the Kerberos RPC library. These affect the krb5 Kerberos administration daemon kadmind. The first, which could permit an unauthorised user to execute code, is apparently due to the freeing of an uninitialised pointer. The function gssrpc__svcauth_gssapi() in src/lib/rpc/svc_auth_gssapi.c declares an automatic variable of a complex type that includes a pointer to void. This is ultimately used to store the RPC credential. If a supplied credential is of zero length, the process jumps straight to a cleanup routine that deallocates the null pointer, thereby attempting to free unallocated memory.

The second vulnerability could allow a process to write past the end of a buffer on the stack. It is triggered by the function gssrpc__svcauth_unix() in src/lib/rpc/svc_auth_unix.c storing an unsigned integer with an excessively large value into a signed integer variable. If the signed result is negative, as it will be if a sufficiently large value is supplied, a subsequent test for excess length is fooled into validating the value. This value is then passed to memmove(), which re-interprets the signed integer as an unsigned without recognising that it is too large. In principle this could allow a buffer in the stack frame to be overflowed, but MIT point out that the large values required will probably cause other memory access violations to bring the process or system down before the flaw can be properly exploited.

MIT consider the first of these two to be the more serious threat as it is more likely than the second to result in code execution rather than a system crash, but exploitation of both is considered to be difficult. MIT kadmind releases up to and including krb5-1.6.1 are affected, as are third-party applications calling the RPC library included in these versions. Fixes will be available in the upcoming krb5-1.6.2 and krb5-1.5.4 maintenance releases, and a patch is available in the meantime from MIT.

The remaining vulnerability is apparently in kadmind itself. During the rename operation, unchecked string arguments are passed to sprintf(), which uses a fixed size stack buffer. This can result in a buffer overflow, which according to MIT may result in compromise of the Kerberos key database and host security. They point out that although authentication is required to exploit this flaw, administrative privilege is not, as the vulnerable code is executed before privilege verification takes place. The same versions are affected, although not third party applications in this case. The same upcoming releases will also correct this bug, and an interim patch is available from MIT. Note that in this case there is a prerequisite patch unless you are using releases krb5-1.6.1 or krb5-1.5.3.

Although these particular bugs seem quite hard to exploit, they probably represent the three most fundamental and well-known coding errors on the planet. To see them emerge simultaneously in a front line security application used by such a huge public is quite saddening.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit