TUCoPS :: Unix :: General
:: kerb3-2.htm
Kerberos V telnet daemon Buffer Overflow
Vulnerability
Kerberos V
Affected
Any system running the Kerberos V 1.0 telnet daemon
Description
The following info is based on Secure Networks Inc. Security
Advisory.
Systems running the Kerberos V telnet daemon are vulnerable to a
buffer overflow in the Kerberized telnet daemon. This buffer
overflow can allow remote root access to unauthorized users.
The problem lies in the kerberized telnet daemon which due to
improper bounds checking of the TERM variable is vulnerable to a
remote buffer overflow.
The following function start_login() in sys_term.c illustrates the
problem :
...
char speed[128];
....
sprintf(speed, "%s/%d", (cp = getenv("TERM")) ? cp : "",
(def_rspeed> 0) ? def_rspeed : 9600);
...
By this, remote individuals can gain root access to hosts running
the Kerberos V telnet daemon.
Solution
The problems described in Kerberos V are fixed by updating your
Kerberos installation to Kerberos V 1.0 patch level 1. Information
about obtaining the update to Kerberos V can be found at:
http://web.mit.edu/kerberos/www/krb5-1.0/announce.html
The MIT Kerberos Team announced the availability of MIT Kerberos V5
Release 1.0.2. This release is a bug-fix release only and it fixes
a potential security vulnerability in telnetd that may allow a
remote user to gain root privileges on systems with a broken
tgetent() library function. The simplest way to get the new
patchlevel 1 release is via the Web. Use the following URL:
http://web.mit.edu/network/kerberos-form.html
OpenBSD users should update to OpenBSD-current via anoncvs, and
recompile their kerberos libraries.
Cygnus plans to release patches for the Cygnus Kerberos
distributions shortly.