Vulnerability Note VU#356961

MIT Kerberos kadmind RPC library gssrpc__svcauth_gssapi() uninitialized pointer free vulnerability

Original Release date: 26 Jun 2007 | Last revised: 08 Aug 2007

Overview

The MIT Kerberos administration daemon (kadmind) can free an uninitialized pointer, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.

Description

The gssrpc__svcauth_gssapi() function used by the Kerberos administration daemon can free an uninitialized pointer when receiving a specially crafted RPC request. This vulnerability may cause memory corruption that could allow a remote, unauthenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-004:

    The function gssrpc__svcauth_gssapi() in src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds" of type auth_gssapi_creds. This type includes a gss_buffer_desc (which includes a pointer to void used as a pointer to a buffer of bytes). If gssrpc__svcauth_gssapi() receives an RPC credential with a length of zero, it jumps to the label "error", which executes some cleanup code. At this point, the gss_buffer_desc in "creds" is not yet initialized, and the cleanup code calls xdr_free() on "creds", which then attempts to free the memory pointed to by the uninitialized "value" member of the gss_buffer_desc.

    Exploitation of freeing of invalid pointers is believed to be difficult, and depends on a variety of factors specific to a given malloc implementation.

Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.1. MIT has been provided with proof-of-concept exploit code that causes a denial of service, but it's not clear whether the exploit code is publicly available yet.

This vulnerability occurred as a result of failing to comply with rule EXP33-C of the CERT C Programming Language Secure Coding Standard.

Impact

A remote, unauthenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.

Solution

Apply a patch
A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-004. MIT also states that this will be addressed in the upcoming krb5-1.6.2 and krb5-1.5.4 releases.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected18 Jun 200730 Jul 2007
Red Hat, Inc.Affected18 Jun 200726 Jun 2007
Sun Microsystems, Inc.Affected18 Jun 200728 Jun 2007
CyberSafe, Inc.Not Affected18 Jun 200718 Jun 2007
Microsoft CorporationNot Affected18 Jun 200719 Jun 2007
Network Appliance, Inc.Not Affected-27 Jun 2007
Apple Computer, Inc.Unknown18 Jun 200718 Jun 2007
AttachmateWRQ, Inc.Unknown18 Jun 200718 Jun 2007
Conectiva Inc.Unknown18 Jun 200718 Jun 2007
Cray Inc.Unknown18 Jun 200718 Jun 2007
EMC CorporationUnknown18 Jun 200718 Jun 2007
Engarde Secure LinuxUnknown18 Jun 200718 Jun 2007
F5 Networks, Inc.Unknown18 Jun 200718 Jun 2007
Fedora ProjectUnknown18 Jun 200718 Jun 2007
FreeBSD, Inc.Unknown18 Jun 200718 Jun 2007
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to MIT for reporting this vulnerability, who in turn credit Wei Wang of McAfee Avert Labs.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2007-2442
  • Date Public: 26 Jun 2007
  • Date First Published: 26 Jun 2007
  • Date Last Updated: 08 Aug 2007
  • Severity Metric: 5.40
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.