exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MITKRB5-SA-2004-001.txt

MITKRB5-SA-2004-001.txt
Posted Jun 2, 2004
Authored by Christopher Nebergall, Nico Williams

MIT krb5 Security Advisory 2004-001 - The krb5_aname_to_localname() library function contains multiple buffer overflows which could be exploited to gain unauthorized root access. Exploitation of these flaws requires an unusual combination of factors, including successful authentication to a vulnerable service and a non-default configuration on the target service.

tags | advisory, overflow, root
SHA-256 | 7cfc54ec053d139beffb7bab5ac5297855b62e23eb7d90b6c494e5f59da7df6a

MITKRB5-SA-2004-001.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

MIT krb5 Security Advisory 2004-001

2004-06-01

Topic: buffer overflows in krb5_aname_to_localname

Severity: serious

SUMMARY
=======

The krb5_aname_to_localname() library function contains multiple
buffer overflows which could be exploited to gain unauthorized root
access. Exploitation of these flaws requires an unusual combination
of factors, including successful authentication to a vulnerable
service and a non-default configuration on the target service. (See
MITIGATING FACTORS below.) No exploits are known to exist yet.

IMPACT
======

A remote attacker can potentially execute arbitrary code on hosts
running vulnerable services.

MITIGATING FACTORS
==================

Only configurations which enable the explicit mapping or rules-based
mapping functionality of krb5_aname_to_localname() are vulnerable.
These configurations are not the default.

If the explicit mapping functionality is enabled, an attacker must
authenticate using a principal name listed in the explicit mapping
list.

If the rules-based mapping functionality is enabled, an attacker must
be able to create arbitrary principal names either in the local
Kerberos realm or in a remote realm from which the local realm's
services are reachable by cross-realm authentication.

AFFECTED SOFTWARE
=================

All releases of MIT Kerberos 5, up to and including krb5-1.3.3.

The upcoming krb5-1.3.4 release will contain a fix for this problem.

Affected services contained in these releases include the remote login
applications (e.g., ftp, rsh, rlogin, telnet), as well as ksu.
Third-party application servers using the affected functionality of
the krb5 library may be vulnerable.

These services are only vulnerable in non-default configurations.

FIXES
=====

* If you are using the vulnerable functionality, consider disabling it
immediately. Complete disabling of any configuration of explicit
mapping or rules-based mapping should prevent exploitation.

* The upcoming krb5-1.3.4 release will contain a fix for this problem.

* Apply the following patch to src/lib/krb5/os/an_to_ln.c, and
recompile the affected libraries and applications.

Index: an_to_ln.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/os/an_to_ln.c,v
retrieving revision 5.39
diff -c -r5.39 an_to_ln.c
*** an_to_ln.c 2002/09/03 19:29:34 5.39
- --- an_to_ln.c 2004/05/14 19:39:21
***************
*** 270,278 ****
* If no regcomp() then just return the input string verbatim in the output
* string.
*/
! static void
do_replacement(char *regexp, char *repl, int doall, char *in, char *out)
{
#if HAVE_REGCOMP
regex_t match_exp;
regmatch_t match_match;
- --- 270,283 ----
* If no regcomp() then just return the input string verbatim in the output
* string.
*/
! #define use_bytes(x) \
! out_used += (x); \
! if (out_used > MAX_FORMAT_BUFFER) goto mem_err
!
! static int
do_replacement(char *regexp, char *repl, int doall, char *in, char *out)
{
+ size_t out_used = 0;
#if HAVE_REGCOMP
regex_t match_exp;
regmatch_t match_match;
***************
*** 287,303 ****
do {
if (!regexec(&match_exp, cp, 1, &match_match, 0)) {
if (match_match.rm_so) {
strncpy(op, cp, match_match.rm_so);
op += match_match.rm_so;
}
strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
op += strlen(op);
cp += match_match.rm_eo;
! if (!doall)
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 1;
}
else {
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 0;
}
- --- 292,313 ----
do {
if (!regexec(&match_exp, cp, 1, &match_match, 0)) {
if (match_match.rm_so) {
+ use_bytes(match_match.rm_so);
strncpy(op, cp, match_match.rm_so);
op += match_match.rm_so;
}
+ use_bytes(strlen(repl));
strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
op += strlen(op);
cp += match_match.rm_eo;
! if (!doall) {
! use_bytes(strlen(cp));
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
+ }
matched = 1;
}
else {
+ use_bytes(strlen(cp));
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 0;
}
***************
*** 322,338 ****
- --- 332,352 ----
sdispl = (size_t) (loc1 - cp);
edispl = (size_t) (loc2 - cp);
if (sdispl) {
+ use_bytes(sdispl);
strncpy(op, cp, sdispl);
op += sdispl;
}
+ use_bytes(strlen(repl));
strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
op += strlen(repl);
cp += edispl;
if (!doall)
+ use_bytes(strlen(cp));
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 1;
}
else {
+ use_bytes(strlen(cp));
strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
matched = 0;
}
***************
*** 340,346 ****
- --- 354,368 ----
#else /* HAVE_REGEXP_H */
memcpy(out, in, MAX_FORMAT_BUFFER);
#endif /* HAVE_REGCOMP */
+ return 1;
+ mem_err:
+ #ifdef HAVE_REGCMP
+ regfree(&match_exp);
+ #endif
+ return 0;
+
}
+ #undef use_bytes

/*
* aname_replacer() - Perform the specified substitutions on the input
***************
*** 412,418 ****

/* Do the replacemenbt */
memset(out, '\0', MAX_FORMAT_BUFFER);
! do_replacement(rule, repl, doglobal, in, out);
free(rule);
free(repl);

- --- 434,445 ----

/* Do the replacemenbt */
memset(out, '\0', MAX_FORMAT_BUFFER);
! if (!do_replacement(rule, repl, doglobal, in, out)) {
! free(rule);
! free(repl);
! kret = KRB5_LNAME_NOTRANS;
! break;
! }
free(rule);
free(repl);

***************
*** 459,464 ****
- --- 486,492 ----
char *fprincname;
char *selstring = 0;
int num_comps, compind;
+ size_t selstring_used;
char *cout;
krb5_data *datap;
char *outstring;
***************
*** 479,484 ****
- --- 507,513 ----
*/
current = strchr(current, ':');
selstring = (char *) malloc(MAX_FORMAT_BUFFER);
+ selstring_used = 0;
if (current && selstring) {
current++;
cout = selstring;
***************
*** 497,502 ****
- --- 526,539 ----
aname,
compind-1))
) {
+ if ((datap->length < MAX_FORMAT_BUFFER)
+ && (selstring_used+datap->length
+ < MAX_FORMAT_BUFFER)) {
+ selstring_used += datap->length;
+ } else {
+ kret = ENOMEM;
+ goto errout;
+ }
strncpy(cout,
datap->data,
(unsigned) datap->length);
***************
*** 527,533 ****
else
kret = KRB5_CONFIG_BADFORMAT;

! if (kret)
free(selstring);
}
}
- --- 564,570 ----
else
kret = KRB5_CONFIG_BADFORMAT;

! errout: if (kret)
free(selstring);
}
}
***************
*** 643,649 ****
const char *hierarchy[5];
char **mapping_values;
int i, nvalid;
! char *cp;
char *typep, *argp;
unsigned int lnsize;

- --- 680,686 ----
const char *hierarchy[5];
char **mapping_values;
int i, nvalid;
! char *cp, *s;
char *typep, *argp;
unsigned int lnsize;

***************
*** 677,687 ****

/* Just use the last one. */
/* Trim the value. */
! cp = &mapping_values[nvalid-1]
! [strlen(mapping_values[nvalid-1])];
! while (isspace((int) (*cp))) cp--;
! cp++;
! *cp = '\0';

/* Copy out the value if there's enough room */
if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize)
- --- 714,727 ----

/* Just use the last one. */
/* Trim the value. */
! s = mapping_values[nvalid-1];
! cp = s + strlen(s);
! while (cp > s) {
! cp--;
! if (!isspace((int)(*cp)))
! break;
! *cp = '\0';
! }

/* Copy out the value if there's enough room */
if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize)

The patch was generated against krb5-1.3.3; it may apply, with some
offset, to other releases.

This patch may also be found at:

https://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt

The associated detached PGP signature is at:

https://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt.asc

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

https://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

https://web.mit.edu/kerberos/index.html

ACKNOWLEDGMENTS
===============

Thanks to Christopher Nebergall for finding the single-byte overflow.

Thanks to Nico Williams for finding a vulnerability in the rules-based
mapping.

Thanks to Matt Crawford for useful comments.

DETAILS
=======

krb5_aname_to_localname() translates a Kerberos principal name to a
local account name, typically a UNIX username. In the file
src/lib/krb5/os/an_to_ln.c, the helper functions aname_replacer(),
do_replacement(), and rule_an_to_ln() do not perform adequate checks
of the lengths of strings which contain the name of the principal
whose authorization is being checked. This can result in the overflow
of heap buffers when an attacker authenticates using a sufficiently
long principal name.

In addition, the implementation of the explicit mapping functionality
in krb5_aname_to_localname() consistently writes a zero byte at a
location one byte past the end of a heap buffer when handling a
principal name matching an explicit mapping. Single-byte overflows of
heap buffers are known to be exploitable on some architectures. The
vulnerability in the explicit mapping functionality was fixed around
December 2003 in the development sources, but the fix was not
propagated to the krb5-1.3.x release branch.

REVISION HISTORY
================

2004-06-01 original release

Copyright (C) 2004 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)

iQCVAwUBQLzhKKbDgE/zdoE9AQEIQAP+Nr2GZig5o2TM/0hxmuSDKuDCHQ8k4KBr
NCucgV8qVfhXw6MLX+PLX96CniyaFjuKGlS6PS7z2eTRt6qsvxohR1gAfZ7olN5u
pDOl5/D9CXnNqwz5ulh7TiaWuVXZab5RfjveZSvxi2fR2CCdUnBab/J4jzOeQyl+
bjJPpeMJiQE=
=yGUt
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close