Date: 13 November 2002
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.628 -- FreeBSD-SA-02:40.kadmind
Buffer overflow in kadmind daemon
13 November 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kadmind
crypto_heimdal
crypto_kerberosIV
heimdal
krb5
Vendor: FreeBSD
Operating System: FreeBSD prior to and including 4.7-RELEASE
Impact: Root Compromise
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:40.kadmind Security Advisory
The FreeBSD Project
Topic: Buffer overflow in kadmind daemon
Category: core, ports
Module: crypto_heimdal, crypto_kerberosIV, heimdal, krb5
Announced: 2002-11-12
Credits: Johan Danielsson <joda@pdc.kth.se>,
Sam Hartman <hartmans@mit.edu>,
Love Hoernquist-Astrand <lha@stacken.kth.se>,
Tom Yu <tlyu@mit.edu>
Affects: All releases prior to and including FreeBSD 4.7-RELEASE.
Corrected: 2002-10-23 13:07:44 UTC (RELENG_4)
2002-10-23 13:21:32 UTC (RELENG_4_7)
2002-10-23 13:21:02 UTC (RELENG_4_6)
2002-10-23 13:20:19 UTC (RELENG_4_5)
2002-10-23 13:19:46 UTC (RELENG_4_4)
2002-10-24 02:52:00 UTC (RELENG_3)
2002-10-23 22:30:39 UTC (krb5 port, krb5-1.2.6_1)
2002-10-24 15:01:11 UTC (heimdal port, heimdal-0.5.1)
FreeBSD only: NO
I. Background
The Kerberos 4 administrative server, kadmind, runs on the Kerberos
Key Distribution Center (KDC) and provides administrative access to
the Kerberos database. It is part of the KTH Kerberos 4
implementation. The Kerberos 5 administrative server, k5admind,
provides the same function in the Heimdal Kerberos 5 implementation,
and includes a Kerberos 4 compatibility feature.
The k5admind server is installed as part of the `krb5' distribution,
or when building from source with MAKE_KERBEROS5 set. The kadmind
server is installed as part of the `krb4' distribution, or when
building from source with MAKE_KERBEROS4 set. Neither is installed by
default.
The Heimdal Kerberos 5 administrative server is also available as part
of the heimdal port (ports/security/heimdal). The MIT Kerberos 5
implementation also includes a Kerberos 5 administrative server
(ports/security/krb5). The MIT Kerberos 5 administrative server is
named `kadmind'.
II. Problem Description
A stack buffer overflow is present in the Kerberos 4 administrative
server, kadmind, and in the Kerberos 4 compatibility layer of the
Kerberos 5 administrative server, k5admind.
III. Impact
A remote attacker may send a specially formatted request to k5admind
or kadmind, triggering the stack buffer overflow and potentially
causing the administrative server to execute arbitrary code as root on
the KDC. The attacker need not be authenticated in order to trigger
the bug. Compromise of the KDC has an especially large impact, as
theft of the Kerberos database could allow an attacker to impersonate
any Kerberos principal in the realm(s) present in the database.
IMPORTANT NOTE: According to the MIT security team, there is evidence
that this bug is being actively exploited.
IV. Workaround
Perform one of the following:
1) Disable kadmind and/or k5admind by performing the following:
Set kadmind_server_enable (for kadmind) and kadmind5_server_enable
(for k5admind) to "NO" in /etc/rc.conf.
Check /etc/inetd.conf to verify that kadmind and k5admind are
not being started from inetd.
Check that kadmind is not running as a service by executing the
following command:
# ps axlwww | egrep 'kadmind|k5admind'
If kadmind or k5admind are running, kill them by executing the
following command as root:
# kill <process id of kadmind or k5admind>
2) Deinstall the heimdal or krb5 port/packages if installed.
V. Solution
Do one of the following:
1) Upgrade your vulnerable system to 4.7-STABLE; or to the RELENG_4_7,
RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the
correction date.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 4.4, FreeBSD
4.5, FreeBSD 4.6, and FreeBSD 4.7 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:40/kadmin.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:40/kadmin.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/kerberos5/libexec/k5admind
# make depend && make all install
# cd /usr/src/kerberosIV/usr.sbin/kadmind
# make depend && make all install
If you have the `heimdal' or `krb5' port/package installed, then do
one of the following:
1) Upgrade your entire ports collection and rebuild the port.
2) Download a new port skeleton for the heimdal or krb5 port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
3) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Path Revision
Branch
- - -------------------------------------------------------------------------
src/crypto/heimdal/kadmin/version4.c
RELENG_4 1.1.1.1.2.4
RELENG_4_7 1.1.1.1.2.3.2.1
RELENG_4_6 1.1.1.1.2.1.8.1
RELENG_4_5 1.1.1.1.2.1.6.1
RELENG_4_4 1.1.1.1.2.1.4.1
src/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
RELENG_4 1.1.1.3.2.1
RELENG_4_7 1.1.1.3.12.1
RELENG_4_6 1.1.1.3.10.1
RELENG_4_5 1.1.1.3.8.1
RELENG_4_4 1.1.1.3.6.1
src/kerberosIV/include/version.h
RELENG_4 1.3.2.1
RELENG_4_7 1.3.12.1
RELENG_4_6 1.3.10.1
RELENG_4_5 1.3.8.1
RELENG_4_4 1.3.6.1
src/kerberos5/include/version.h
RELENG_4 1.2.2.6
RELENG_4_7 1.2.2.5.2.1
RELENG_4_6 1.2.2.3.2.1
RELENG_4_5 1.2.2.2.4.1
RELENG_4_4 1.2.2.2.2.1
- - -------------------------------------------------------------------------
For Heimdal Kerberos 5 and MIT Kerberos 5 found in the FreeBSD Ports
Collection, the first corrected versions are:
ports/security/heimdal heimdal-0.5.1
ports/security/krb5 krb5-1.2.6_1
VII. References
<URL:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt>
<URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc>
<URL:http://www.pdc.kth.se/heimdal/>
<URL:http://www.pdc.kth.se/kth-krb/>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iQCVAwUBPdFHs1UuHi5z0oilAQFH2wP/X8LODwBJpU07idHIJoxoaSeVnISEKz1o
580Koss/zgt/vcItvqssdGDBaBMa0XFz4JQaUOX4WYEACuguR+1wAxmiMseqyzyK
EHXPO5Igqb3V+5J2SBl3Skwx3Z5QEDlBQXRpVBPYl6HBPTV2QBjjBY9L0B/6hPao
74KIgvrEix0=
=oVsJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPdJ2myh9+71yA2DNAQEJGwP+NDBy3G0XXizSqtPggQovqGlNp6q/rawN
veFGZz6QrcMEQyVBWjk6ZPXf8oIvUZCMrcRQUzVZHOSiqKSGnReVVmdyTtxXES/j
VR5eAUUZZ6iGNMqL0Tj4MuLxZjTIvot3TWEUk1H3hLWqGXbyge+TkUPUiWirPjqg
ijfHL1j+aik=
=Ufus
-----END PGP SIGNATURE-----
|