Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16560
HistoryApr 04, 2007 - 12:00 a.m.

MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]

2007-04-0400:00:00
vulners.com
23
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             MIT krb5 Security Advisory 2007-002

Original release: 2007-04-03
Last update: 2007-04-03

Topic: KDC, kadmind stack overflow in krb5_klog_syslog

Severity: CRITICAL

CVE: CVE-2007-0957
CERT: VU#704024

SUMMARY

The library function krb5_klog_syslog() can write past the end of a
stack buffer. The Kerberos administration daemon (kadmind) as well as
the KDC, are vulnerable. Exploitation of this vulnerability is
probably simple.

This is a vulnerability in the the kadm5 library, which is used by the
KDC and kadmind, and possibly by some third-party applications. It is
not a bug in the MIT krb5 protocol libraries or in the Kerberos
protocol.

IMPACT

An authenticated user may be able to cause a host running kadmind to
execute arbitrary code.

An authenticated user may be able to cause a KDC host to execute
arbitrary code. Also, a user controlling a Kerberos realm sharing a
key with the target realm may be able to cause a KDC host to execute
arbitrary code.

Successful exploitation can compromise the Kerberos key database and
host security on the host running these programs. (kadmind and the
KDC typically run as root.) Unsuccessful exploitation attempts will
likely result in the affected program crashing.

Third-party applications which call krb5_klog_syslog() may also be
vulnerable.

AFFECTED SOFTWARE

  • MIT krb5 releases through krb5-1.6

FIXES

  • The upcoming krb5-1.6.1 release will contain a fix for this
    vulnerability.

Prior to that release you may:

  • apply the patch

    The patch is available at

    http://web.mit.edu/kerberos/advisories/2007-002-patch.txt

    A PGP-signed patch is available at

    http://web.mit.edu/kerberos/advisories/2007-002-patch.txt.asc

    Systems which definitely provide vsnprintf() may not need the entire
    patch; see "DETAILS".

    Please note that releases prior to krb5-1.5 will require additional
    changes to the configure script src/lib/kadm5/configure in order to
    correctly detect the presence of vsnprintf(). krb5-1.5 and later
    releases already check for vsnprintf() in the top-level configure
    script, and do not have a separate src/lib/kadm5/configure script.

REFERENCES

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

CVE: CVE-2007-0957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0957

CERT: VU#704024
http://www.kb.cert.org/vuls/id/704024

ACKNOWLEDGMENTS

We thank iDefense Labs for notifying us of this vulnerability.
iDefense credits an anonymous discoverer.

DETAILS

krb5_klog_syslog() uses vsprintf() to format text into a fixed-length
stack buffer. Format specifiers such as "%s" used in calls to
krb5_klog_syslog() may allow formatting of strings of sufficient
length to overwrite memory past the end of the stack buffer.

Certain strings received from the client by the kadmin daemon are not
truncated prior to logging. Among these strings is the target
principal for the kadmin operation.

The KDC truncates most client-originated strings prior to logging.
One sort of string which is not truncated is a transited-realms
string. A malicious KDC sharing a key with the target realm may issue
tickets with specially-crafted transited-realms strings to exploit
this vulnerability. There are other places where an authenticated
user may cause the KDC to log a string which triggers the
vulnerability.

On a system where vsnprintf() is confirmed to be available, the
patches to files other than src/lib/kadm5/logger.c may not be
necessary to prevent a buffer overflow; these patches are still useful
to prevent malicious users from causing vsnprintf() to obliterate
useful log information by means of truncation.

REVISION HISTORY

2007-04-03 original release

Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRhKVS6bDgE/zdoE9AQJlZgQAq/IvVdpkf3VNViwuZaAJ31+mqq17gKqX
9DkxkvpPD2b5/8N/ouywP/ODCpYpT9Y+mU+Cw/hEfL2otv/o1HJcV7CXPRCEFODs
YKpi2Sahcxs+jl1ZQfsY63oay6urZ0PTcrZTFQuqOv8B0wVd0XUwrSkBLejZszL3
YUFR4W+wtbg=
=GsBC
-----END PGP SIGNATURE-----

Related

checkpoint_advisories 1
openvas 41
prion 1
nessus 15
debiancve 1
cve 1
ubuntucve 1
securityvulns 2
cert 1
packetstorm 1
fedora 7
centos 2
debian 1
gentoo 1
suse 1
osv 1
redhat 1
ubuntu 1
oraclelinux 1
vmware 1
checkpoint_advisories
checkpoint_advisories
MIT Kerberos V5 KAdminD klog_vsyslog Server Stack Buffer Overflow (CVE-2007-0957)
2010-07-27 00:00:00
openvas
openvas
Solaris Update for libkadm5 112921-09
2009-06-03 00:00:00
Solaris Update for kpasswd, libgss.so.1 and libkadm5clnt.so.1 109224-11
2009-09-23 00:00:00
Solaris Update for krb5 krb5kdc 116045-02
2009-06-03 00:00:00
prion
prion
Stack overflow
2007-04-06 01:19:00
nessus
nessus
Solaris 8 (x86) : 109224-10
2005-04-17 00:00:00
Solaris 8 (sparc) : 109223-10
2005-04-17 00:00:00
Solaris 5.8 (sparc) : 110061-22
2009-04-23 00:00:00
debiancve
debiancve
CVE-2007-0957
2007-04-06 01:19:00
cve
cve
CVE-2007-0957
2007-04-06 01:19:00
ubuntucve
ubuntucve
CVE-2007-0957
2007-04-06 00:00:00
securityvulns
securityvulns
iDefense Security Advisory 04.03.07: Multiple Vendor Kerberos kadmind Buffer Overflow Vulnerability
2007-04-04 00:00:00
Mltiple MIT Kerberos security vulnerabilities
2007-04-11 00:00:00
cert
cert
MIT Kerberos 5 administration daemon stack overflow in krb5_klog_syslog()
2007-04-03 00:00:00
packetstorm
packetstorm
kadmind-overflow.txt
2007-04-11 00:00:00
fedora
fedora
[SECURITY] Fedora Core 6 Update: krb5-1.5-21
2007-04-03 20:13:33
[SECURITY] Fedora 7 Update: krb5-1.6.1-2.1.fc7
2007-06-28 01:54:45
[SECURITY] Fedora Core 5 Update: krb5-1.4.3-5.4
2007-04-03 20:14:48
centos
centos
krb5 security update
2007-04-04 00:33:54
krb5 security update
2007-04-03 21:56:56
debian
debian
[SECURITY] [DSA 1276-1] New krb5 packages fix several vulnerabilities
2007-04-03 21:15:24
gentoo
gentoo
MIT Kerberos 5: Arbitrary remote code execution
2007-04-03 00:00:00
suse
suse
remote code execution in krb5
2007-04-05 12:20:17
osv
osv
krb5 - several vulnerabilities
2007-04-03 00:00:00
redhat
redhat
(RHSA-2007:0095) Critical: krb5 security update
2007-04-03 00:00:00
ubuntu
ubuntu
krb5 vulnerabilities
2007-04-04 00:00:00
oraclelinux
oraclelinux
Critical: krb5 security update
2007-04-04 00:00:00
vmware
vmware
Updated Service Console packages (XFree86, UP and SMP kernels, Kerberos libraries) resolve security issues.
2007-07-05 00:00:00
JSON
Related for SECURITYVULNS:DOC:16560
checkpoint_advisories1openvas41prion1nessus15debiancve1cve1ubuntucve1securityvulns2cert1packetstorm1fedora7centos2debian1gentoo1suse1osv1redhat1ubuntu1oraclelinux1vmware1