copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
By Operating...
»
UNIX (all)
»
Solaris
» AU-2007.0019 -- AusCERT Update - [UNIX/Linux] - MIT ...
AU-2007.0019 -- AusCERT Update - [UNIX/Linux] - MIT krb5 Security Advisory 2007-006 Update
Date:
06 September 2007
References
:
AL-2007.0107
ESB-2007.0681
ESB-2007.0683
AU-2007.0020
ESB-2007.0913
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AusCERT Update AU-2007.0019 - [UNIX/Linux] MIT krb5 Security Advisory 2007-006 Update 6 September 2007 AusCERT Update Summary ---------------------- Product: kadmind versions krb5-1.6.2 and prior Publisher: MIT Kerberos Operating System: UNIX variants (UNIX, Linux, OSX) Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2007-4000 CVE-2007-3999 Ref: AL-2007.0107 Original Bulletin: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt Comment: A problem was discovered with the patch for CVE-2007-3999 that could still leave a system vulnerable. A new (updated) patch has been released to correct this. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team has discovered a problem with the originally published patch for svc_auth_gss.c [CVE-2007-3999], which allowed a 32-byte overflow. Depending on the compilation environment and machine architecture, this may or may not be a significant continued vulnerability. The new patch in the updated advisory (below) correctly checks the buffer length. Thanks to Kevin Coffman (UMich), Will Fiveash (Sun), and Nico Williams (Sun) for discovering the bug in the initial CVE-2007-3999 patch and for help with developing the revised patch for CVE-2007-3999. ==================== MIT krb5 Security Advisory 2007-006 Original release: 2007-09-04 Last update: 2007-09-05 Topic: kadmind RPC lib buffer overflow, uninitialized pointer [CVE-2007-3999/VU#883632] RPC library buffer overflow CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed [CVE-2007-4000/VU#377544] kadmind uninitialized pointer CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C See DETAILS for the expanded CVSSv2 metrics for this vulnerability. SUMMARY ======= This advisory concerns two vulnerabilities. CVE-2007-3999 is much easier to exploit than CVE-2007-4000. [CVE-2007-3999] The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow in the RPCSEC_GSS authentication flavor of the RPC library. Third-party applications using the RPC library provided with MIT krb5 may also be affected. We have received a proof-of-concept exploit that does not appear to execute malicious code, and we believe that this exploit is not publicly circulated. This is a bug in the RPC library in MIT krb5. It is not a bug in the Kerberos protocol. [CVE-2007-4000] The MIT krb5 Kerberos administration daemon (kadmind) can write data through an uninitialized pointer. We know of no working exploit code for this vulnerability, and do not believe that any exploit code for this vulnerability is circulating. This is a bug in the kadmind in MIT krb5. It is not a bug in the Kerberos protocol. IMPACT ====== [CVE-2007-3999] An unauthenticated remote user may be able to cause a host running kadmind to execute arbitrary code. [CVE-2007-4000] An authenticated user with "modify policy" privilege may be able to cause a host running kadmind to execute arbitrary code. Successful exploitation of either vulnerability can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing. Third-party applications calling the RPC library provided with MIT krb5 may be vulnerable to CVE-2007-3999. AFFECTED SOFTWARE ================= [CVE-2007-3999] * kadmind in MIT releases krb5-1.4 through krb5-1.6.2 * third-party RPC server programs linked against the RPC library included in MIT releases krb5-1.4 through krb5-1.6.2 * MIT releases prior to krb5-1.4 did not contain the vulnerable code [CVE-2007-4000] * kadmind in MIT releases krb5-1.5 through krb5-1.6.2 * MIT releases prior to krb5-1.5 did not contain the vulnerable code FIXES ===== * The patch for CVE-2007-3999 has been revised; the patch originally released for svc_auth_gss.c allowed a 32-byte overflow. Depending on the compilation environment and machine architecture, this may or may not be a significant continued vulnerability. The new patch below correctly checks the buffer length. * The upcoming krb5-1.6.3 release, as well as the upcoming krb5-1.5.5 maintenance release, will contain fixes for this vulnerability. Prior to that release you may apply the following patch. Note that releases prior to krb5-1.5 will not need the svr_policy.c patch. *** src/lib/kadm5/srv/svr_policy.c (revision 20254) - - --- src/lib/kadm5/srv/svr_policy.c (local) *************** *** 211,218 **** if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; ! ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); ! if( ret && (cnt==0) ) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) - - --- 211,219 ---- if((mask & KADM5_POLICY)) return KADM5_BAD_MASK; ! if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) ! return ret; ! if (cnt != 1) return KADM5_UNK_POLICY; if ((mask & KADM5_PW_MAX_LIFE)) *** src/lib/rpc/svc_auth_gss.c (revision 20474) - - --- src/lib/rpc/svc_auth_gss.c (local) *************** *** 355,360 **** - - --- 355,369 ---- memset(rpchdr, 0, sizeof(rpchdr)); /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */ + oa = &msg->rm_call.cb_cred; + if (oa->oa_length > MAX_AUTH_BYTES) + return (FALSE); + + /* 8 XDR units from the IXDR macro calls. */ + if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + + RNDUP(oa->oa_length))) + return (FALSE); + buf = (int32_t *)(void *)rpchdr; IXDR_PUT_LONG(buf, msg->rm_xid); IXDR_PUT_ENUM(buf, msg->rm_direction); *************** *** 362,368 **** IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); - - - oa = &msg->rm_call.cb_cred; IXDR_PUT_ENUM(buf, oa->oa_flavor); IXDR_PUT_LONG(buf, oa->oa_length); if (oa->oa_length) { - - --- 371,376 ---- This patch is also available at http://web.mit.edu/kerberos/advisories/2007-006-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-006-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2007-3999 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3999 CERT: VU#883632 http://www.kb.cert.org/vuls/id/883632 CVE: CVE-2007-4000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4000 CERT: VU#377544 http://www.kb.cert.org/vuls/id/377544 ACKNOWLEDGMENTS =============== Thanks to Kevin Coffman (UMich), Will Fiveash (Sun), and Nico Williams (Sun) for discovering the bug in the initial CVE-2007-3999 patch and for help with developing the revised patch for CVE-2007-3999. CVE-2007-3999 was discovered by Tenable Network Security and reported to MIT Kerberos Team by the Zero Day Initiative (ZDI) of the TippingPoint division of 3Com. CVE-2007-4000 was discovered by Garrett Wollman of MIT CSAIL. DETAILS ======= [CVE-2007-3999] The implementation of the RPCSEC_GSS authentication flavor copies untrusted data having an inadequately-validated length into a buffer on the stack. In the function svcauth_gss_validate() in src/lib/rpc/svc_auth_gss.c, which authenticates the incoming RPC message, a memcpy() invocation copies a number of bytes into the 128-byte stack buffer "rpchdr". The length provided to this memcpy() invocation comes from the RPC header and may be maliciously chosen. The invocation of xdr_callmsg(), which provides the decoded rpc_msg structure used by svcauth_gss_validate(), ensures that the provided length does not exceed MAX_AUTH_BYTES, which is 400, but destination buffer is smaller than this size, and can be trivially overflowed. The vulnerable code executes prior to the completion of authentication of the RPC message, and therefore requires no authentication to exploit. Exploitation of stack buffer overflows is trivial on many platforms. [CVE-2007-4000] CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.1 Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 5.6 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The function kadm5_modify_policy_internal() in src/lib/kadm5/srv/svr_policy.c, does not check return values from krb5_db_get_policy() correctly. When the policy does not exist, krb5_db_get_policy() returns zero but sets the count retrieved records to zero without initializing the output pointer. Subsequent code in kadm5_modify_policy_internal() can attempt to write data through this pointer, causing memory corruption. This vulnerability was not present in MIT releases prior to krb5-1.5. In the krb5-1.5 release, changes related to the implementation of the Database Abstraction Layer introduced this vulnerability. REVISION HISTORY ================ 2007-09-05 CVE-2007-3999 patch revised due to 32-byte overflow 2007-09-04 original release Copyright (C) 2007 Massachusetts Institute of Technology - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRt8V06bDgE/zdoE9AQJAPAP/R+OdTSabTDNZVyF0N34KaP9NQMixEAI+ 9b1uuUc0zIYrvKr+XQZJ3UkyNZ8j88OAYjQ2bdtgnkOCDibsClOhEWams+S6h+5I Tdjl3sfY8zld9hoMXGGJFzo1LZ5LELZMJh/mJWSJgtCVgxcCE/WZ4+dBy3gXIvtC npG5pu7L0H0= =sbAz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRt8q0Ch9+71yA2DNAQJpxgP/eHGWnabTV6Nfbu+jplvNr9NhY50Amwp6 BUNTzq/3/QHBJoqPRmf5DAchu9DZFAQyFKUXJVYEw0ZrxW1PUMgmlbPG4ixcrrmN LNzQnz8ucmB0JRBEQSVI44yXEaR3KuH8kgauybbgOWwZAtOHpXsiOGxa2s5WqGlb GqC1AYO0x+0= =08CM -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=33&it=8049