|
Vulnerability Kerberos V Affected Sites running setuid or setgid Kerberos IV programs and using the Kerberos IV compatibility libraries in Kerberos V 1.0 are vulnerable to the environment variable config file buffer overflow Description The following info is based on Secure Networks Inc. Security Advisory. Kerberos V sites which are running Kerberos IV programs and using the Kerberos IV compatibility libraries, including certain bones derived kerberos IV implementations are vulnerable to a localhost buffer overflow. The problem is exploitable if there are setuid or setgid programs (such as a Kerberized rlogin) which use kerberos IV functions. The problem occurs when certain kerberos programs permit the specification of the kerberos configuration file via an environment variable, and do not perform proper checking on this environment variable. This problem stems from a feature in the Kerberos IV compatibility library under Kerberos V. The problem occurs when incorrect bounds checking is applied to reading in configuration files which may be stipulated via an enviroment variable. If a malicous user stipulates a hand crafted config file they can successfully overflow a buffer and sieze root privileges if any setuid programs call the problem functions in the library. The following code in src/lib/krb4/g_krbhst.c illustrates the problem: int INTERFACE krb_get_krbhst(h,r,n) char *h; char *r; int n; { FILE *cnffile, *krb__get_cnffile(); char tr[REALM_SZ]; char linebuf[BUFSIZ]; register int i; cnffile = krb__get_cnffile(); if (!cnffile) return get_krbhst_default(h, r, n) if (fscanf(cnffile,"%s",tr) == EOF) return get_krbhst_default(h, r, n); Where the krb__get_cnffile() function returns a descriptor to the file pointed to by the environment variable KRB_CONF, or a descriptor to the config file in the default location. The same set of problems, with a different environment variable name, exist in the KTH 0.9.3, OpenBSD 2.0, and Cygnus R3 bones derived kerberos IV distributions. Setuid programs using kerberos can allow shell users to gain unauthorized root access to vulnerable systems. In addition, a number of bones derived kerberos IV implementations have had environment variable based config file override feature added. The KTH (version 0.9.3) distribution, the one in OpenBSD 2.0 as well as OpenBSD-current prior to 27 March 1997, and the Cygnus R3 distribution all appear to have this problem. Solution The standard vanilla MIT Kerberos IV code is NOT vulnerable to this problem. The problems described in Kerberos V are fixed by updating your Kerberos installation to Kerberos V 1.0 patch level 1. Information about obtaining the update to Kerberos V can be found at http://web.mit.edu/kerberos/www/krb5-1.0/announce.html OpenBSD users should update to OpenBSD-current via anoncvs, and recompile their kerberos libraries. Cygnus plans to release patches for the Cygnus Kerberos distributions shortly.