TUCoPS :: Unix :: General
:: kerb2-2.htm
Kerberos V Buffer Overflow
Vulnerability
Kerberos V
Affected
Sites running setuid or setgid Kerberos IV programs and using the
Kerberos IV compatibility libraries in Kerberos V 1.0 are
vulnerable to the environment variable config file buffer overflow
Description
The following info is based on Secure Networks Inc. Security
Advisory.
Kerberos V sites which are running Kerberos IV programs and using
the Kerberos IV compatibility libraries, including certain bones
derived kerberos IV implementations are vulnerable to a localhost
buffer overflow. The problem is exploitable if there are setuid
or setgid programs (such as a Kerberized rlogin) which use
kerberos IV functions. The problem occurs when certain kerberos
programs permit the specification of the kerberos configuration
file via an environment variable, and do not perform proper
checking on this environment variable.
This problem stems from a feature in the Kerberos IV compatibility
library under Kerberos V. The problem occurs when incorrect
bounds checking is applied to reading in configuration files
which may be stipulated via an enviroment variable. If a
malicous user stipulates a hand crafted config file they can
successfully overflow a buffer and sieze root privileges if any
setuid programs call the problem functions in the library.
The following code in src/lib/krb4/g_krbhst.c illustrates the
problem:
int INTERFACE
krb_get_krbhst(h,r,n)
char *h;
char *r;
int n;
{
FILE *cnffile, *krb__get_cnffile();
char tr[REALM_SZ];
char linebuf[BUFSIZ];
register int i;
cnffile = krb__get_cnffile();
if (!cnffile)
return get_krbhst_default(h, r, n)
if (fscanf(cnffile,"%s",tr) == EOF)
return get_krbhst_default(h, r, n);
Where the krb__get_cnffile() function returns a descriptor to the
file pointed to by the environment variable KRB_CONF, or a
descriptor to the config file in the default location. The same
set of problems, with a different environment variable name,
exist in the KTH 0.9.3, OpenBSD 2.0, and Cygnus R3 bones derived
kerberos IV distributions. Setuid programs using kerberos can
allow shell users to gain unauthorized root access to vulnerable
systems.
In addition, a number of bones derived kerberos IV implementations
have had environment variable based config file override feature
added. The KTH (version 0.9.3) distribution, the one in OpenBSD
2.0 as well as OpenBSD-current prior to 27 March 1997, and the
Cygnus R3 distribution all appear to have this problem.
Solution
The standard vanilla MIT Kerberos IV code is NOT vulnerable to
this problem.
The problems described in Kerberos V are fixed by updating your
Kerberos installation to Kerberos V 1.0 patch level 1. Information
about obtaining the update to Kerberos V can be found at
http://web.mit.edu/kerberos/www/krb5-1.0/announce.html
OpenBSD users should update to OpenBSD-current via anoncvs, and
recompile their kerberos libraries.
Cygnus plans to release patches for the Cygnus Kerberos
distributions shortly.