[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 531/05 - MIT - Two Kerberos Security Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 531/05 dated 13.07.05  Time: 10:40  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

MIT - Two Kerberos Security Advisories:
     1.  buffer overflow, heap corruption in KDC [MITKRB5-SA-2005-002]
     2.  double-free in krb5_recvauth            [MITKRB5-SA-2005-003]


Detail
====== 

Security Advisory summaries:

     1.  An unauthenticated attacker may be able to use these vulnerabilities
         to execute arbitrary code on the KDC host, potentially compromising an
         entire Kerberos realm.  No exploit code is known to exist at this
         time.  Exploitation of these vulnerabilities is believed to be
         difficult.

     2.  The krb5_recvauth() function can free previously freed memory under
         some error conditions.  This vulnerability may allow an
         unauthenticated remote attacker to execute arbitrary code.


Security Advisory content follows:

1.

- ------

                 MIT krb5 Security Advisory 2005-002

Original release: 2005-07-12

Topic: buffer overflow, heap corruption in KDC

Severity: CRITICAL

SUMMARY
=======

The MIT krb5 Key Distribution Center (KDC) implementation can corrupt
the heap by attempting to free memory at a random address when it
receives a certain unlikely (but valid) request via a TCP connection.
This attempt to free unallocated memory can result in a KDC crash and
consequent denial of service.  [CAN-2005-1174, VU#259798]

Additionally, the same request, when received by the KDC via either
TCP or UDP, can trigger a bug in the krb5 library which results in a
single-byte overflow of a heap buffer.  Application servers are
vulnerable to a highly improbable attack, provided that the attacker
controls a realm sharing a cross-realm key with the target
realm. [CAN-2005-1175, VU#885830]

An unauthenticated attacker may be able to use these vulnerabilities
to execute arbitrary code on the KDC host, potentially compromising an
entire Kerberos realm.  No exploit code is known to exist at this
time.  Exploitation of these vulnerabilities is believed to be
difficult.

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code on
the KDC host, potentially compromising an entire Kerberos realm.  An
unsuccessful attack against the heap corruption vulnerability may
result in a denial of service by crashing the KDC process.

AFFECTED SOFTWARE
=================

* [CAN-2005-1174] affects the KDC implementation in all MIT krb5
  releases supporting TCP client connections to the KDC.  This
  includes krb5-1.3 and later releases, up to and including
  krb5-1.4.1.

* [CAN-2005-1175] affects KDC implementations and application servers
  in all MIT krb5 releases, up to and including krb5-1.4.1.
  Third-party application servers which use MIT krb5 are also
  affected.

FIXES
=====

* The upcoming krb5-1.4.2 release will have fixes for these
  vulnerabilities.

* WORKAROUNDS: Disabling TCP support in the KDC avoids one
  vulnerability [CAN-2005-1174].  The single-byte overflow
  [CAN-2005-1175] is still possible even without KDC TCP support
  enabled.  Running the KDC from init or from some similar automatic
  respawning facility may reduce the durations of denials of service,
  but this approach may make it difficult to detect deliberate attacks
  targeted at code execution.

* Apply the patch at:

  http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt.asc

  The patch was generated against the krb5-1.4.1 release.  It may
  apply, with some offset, to earlier releases.  On releases prior to
  krb5-1.3, only the patch to lib/krb5/krb/unparse.c should be
  necessary.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CAN-2005-1174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174

CERT: VU#259798
http://www.kb.cert.org/vuls/id/259798

CVE: CAN-2005-1175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175

CERT: VU#885830
http://www.kb.cert.org/vuls/id/885830

ACKNOWLEDGMENTS
===============

Thanks to Daniel Wachdorf for reporting these vulnerabilities.

DETAILS
=======

Kerberos 5 principal names may have an arbitrary number of components.
The krb5_unparse_name() function in the MIT krb5 library converts an
internal representation of a Kerberos principal name into a
human-readable string.  The internal representation might have
originated from the decoding of a Kerberos protocol message.

The single-byte overflow occurs whenever the krb5_unparse_name()
function is called on a principal name having zero components.  The
function writes a null byte to an address one beyond the end of a
buffer allocated my malloc().  The corresponding krb5_parse_name()
function never generates an internal representation having zero
components; instead, it generates at least one zero-length component.
The current string representation form of Kerberos principal names has
some ambiguity between a zero-component principal name and a
one-component principal name having a zero-length single component.

Application servers which call krb5_unparse_name(), directly or
indirectly, are vulnerable to the single-byte overflow in
krb5_unparse_name(), provided that the attacker controls a realm which
shares a cross-realm key with the target realm.  This enables the
attacker to use a cross-realm ticket for a zero-component client
principal name, which the application server will then pass to
krb5_unparse_name(), triggering the single-byte overflow.

For this attack to succeed, the attacker needs access to a KDC in the
target realm which will create a ticket for a zero-component client
principal name.  Since the current MIT krb5 KDC implementation will
refuse to create such a ticket, the attack is unlikely to succeed
unless the implementation has been altered to allow the issuance of
tickets for zero-component client principal names.

When the KDC fails to find the principal with a zero-component name in
its database (such a principal is very unlikely to exist in most
databases, as there are extremely few uses for such a principal), it
attempts to encode an error packet containing the offending principal
name, using prepare_error_as() or prepare_error_tgs().  This encoding
attempt fails inside encode_krb5_error(), since the ASN.1 encoder
function asn1_encode_principal_name() interprets the internal
representation of a zero-component principal name as an error
condition.

encode_krb5_error() does not allocate an output buffer when it
encounters an error condition.  While the UDP request handling code in
kdc/network.c:process_packet() does not attempt to free the output
buffer containing the encoded message when it encounters an error, the
TCP request handling code in process does free the buffer inside
kill_tcp_connection(), which attempts to free unallocated memory
pointed to by an uninitialized pointer.

REVISION HISTORY
================

2005-05-12      original release

Copyright (C) 2005 Massachusetts Institute of Technology

- ------




2.




- ------

                MIT krb5 Security Advisory 2005-003

Original release: 2005-07-12

Topic: double-free in krb5_recvauth

Severity: CRITICAL

SUMMARY
=======

The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689, VU#623332]

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.

AFFECTED SOFTWARE
=================

* The kpropd daemon in all releases of MIT krb5, up to and including
  krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
  krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also
  vulnerable.

FIXES
=====

* The upcoming krb5-1.4.2 release will have a fix for this
  vulnerability.

* Apply the following patch.  This patch was generated against the
  krb5-1.4.1 release.  It may apply, with some offset, to earlier
  releases.

  The patch may also be found at:

  http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc

Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c	3 Sep 2002 01:13:47 -0000	5.38
- --- lib/krb5/krb/recvauth.c	23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
  	    if ((retval = krb5_read_message(context, fd, &inbuf)))
  		return(retval);
  	    if (strcmp(inbuf.data, sendauth_version)) {
- - 		krb5_xfree(inbuf.data);
  		problem = KRB5_SENDAUTH_BADAUTHVERS;
  	    }
  	    krb5_xfree(inbuf.data);
- --- 76,81 ----
***************
*** 90,96 ****
  	if ((retval = krb5_read_message(context, fd, &inbuf)))
  		return(retval);
  	if (appl_version && strcmp(inbuf.data, appl_version)) {
- - 		krb5_xfree(inbuf.data);
  		if (!problem)
  			problem = KRB5_SENDAUTH_BADAPPLVERS;
  	}
- --- 89,94 ----

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CAN-2005-1689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689

CERT: VU#623332
http://www.kb.cert.org/vuls/id/623332

ACKNOWLEDGMENTS
===============

Thanks to Magnus Hagander for reporting this vulnerability.

DETAILS
=======

The helper function revcauth_common() in lib/krb5/krb/recvauth.c has
two locations which call krb5_read_message(), followed by an
unconditional krb5_xfree() of the buffer allocated by
krb5_read_message().  In the cases where the sendauth version string
or the application version string do not match the expected value,
recvauth_common() performs a krb5_xfree() on the buffer allocated by
krb5_read_message() preceding the subsequent unconditional call to
krb5_xfree() on the same buffer.

Since the code paths which call krb5_xfree() twice do so with almost
no intervening code, exploitation of this vulnerability may be more
difficult than exploitation of other double-free vulnerabilities.  No
detailed analysis has been performed on the ease of exploitation.

REVISION HISTORY
================

2005-05-12      original release

Copyright (C) 2005 Massachusetts Institute of Technology

- ------



- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of MIT for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQtThPIpao72zK539AQGKiQP+MvE0AMGAso6qi0qplNcmXlLkvx6vLLJQ
eCo0q4bq/1PQfpMmh05hQu3hNRnvrBD3UT8WEr16CyTQ9WvT5yPurfsUAZmzRNto
bbUvUWsXIxnP055bviT++I2GZqVKSV7QXDUuCugmEmu0glLD352ZPYrqXzeES4JL
ozbQts4zMZw=
=kksE
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________