Vulnerability

    Kerberos V

Affected

    Sites running setuid or setgid Kerberos IV programs and using  the
    Kerberos  IV  compatibility  libraries  in  Kerberos  V  1.0   are
    vulnerable to the environment variable config file buffer overflow

Description

    The  following  info  is  based  on  Secure Networks Inc. Security
    Advisory.

    Kerberos V sites which are running Kerberos IV programs and  using
    the Kerberos IV  compatibility libraries, including  certain bones
    derived kerberos IV implementations are vulnerable to a  localhost
    buffer overflow.  The problem  is exploitable if there are  setuid
    or  setgid  programs  (such  as  a  Kerberized  rlogin)  which use
    kerberos IV functions.   The problem occurs when  certain kerberos
    programs permit  the specification  of the  kerberos configuration
    file  via  an  environment  variable,  and  do  not perform proper
    checking on this environment variable.

    This problem stems from a feature in the Kerberos IV compatibility
    library  under  Kerberos  V.   The  problem  occurs when incorrect
    bounds  checking  is  applied  to  reading  in configuration files
    which  may  be  stipulated  via  an  enviroment  variable.   If  a
    malicous  user  stipulates  a  hand  crafted  config file they can
    successfully overflow a  buffer and sieze  root privileges if  any
    setuid programs call the problem functions in the library.

    The  following  code  in  src/lib/krb4/g_krbhst.c  illustrates the
    problem:

    int INTERFACE
    krb_get_krbhst(h,r,n)
        char *h;
        char *r;
        int n;
    {
        FILE *cnffile, *krb__get_cnffile();
        char tr[REALM_SZ];
        char linebuf[BUFSIZ];
        register int i;

        cnffile = krb__get_cnffile();
        if (!cnffile)
            return get_krbhst_default(h, r, n)
    if (fscanf(cnffile,"%s",tr) == EOF)
            return get_krbhst_default(h, r, n);

    Where the krb__get_cnffile() function returns a descriptor to  the
    file  pointed  to  by  the  environment  variable  KRB_CONF,  or a
    descriptor to the config file  in the default location.   The same
    set  of  problems,  with  a  different  environment variable name,
    exist in the KTH 0.9.3,  OpenBSD 2.0, and Cygnus R3  bones derived
    kerberos IV  distributions.   Setuid programs  using kerberos  can
    allow shell users to  gain unauthorized root access  to vulnerable
    systems.

    In addition, a number of bones derived kerberos IV implementations
    have had environment variable  based config file override  feature
    added.  The KTH (version  0.9.3) distribution, the one in  OpenBSD
    2.0 as  well as  OpenBSD-current prior  to 27  March 1997, and the
    Cygnus R3 distribution all appear to have this problem.

Solution

    The standard  vanilla MIT  Kerberos IV  code is  NOT vulnerable to
    this problem.

    The problems described  in Kerberos V  are fixed by  updating your
    Kerberos installation to Kerberos V 1.0 patch level 1. Information
    about obtaining the update to Kerberos V can be found at

        http://web.mit.edu/kerberos/www/krb5-1.0/announce.html

    OpenBSD users  should update  to OpenBSD-current  via anoncvs, and
    recompile their kerberos libraries.

    Cygnus  plans  to   release  patches  for   the  Cygnus   Kerberos
    distributions shortly.