|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#356961
MIT Kerberos kadmind RPC library gssrpc__svcauth_gssapi() uninitialized pointer free vulnerability
OverviewThe MIT Kerberos administration daemon (kadmind) can free an uninitialized pointer, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.
I. DescriptionThe gssrpc__svcauth_gssapi() function used by the Kerberos administration daemon can free an uninitialized pointer when receiving a specially crafted RPC request. This vulnerability may cause memory corruption that could allow a remote, unauthenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-004:
The function gssrpc__svcauth_gssapi() in src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds" of type auth_gssapi_creds. This type includes a gss_buffer_desc (which includes a pointer to void used as a pointer to a buffer of bytes). If gssrpc__svcauth_gssapi() receives an RPC credential with a length of zero, it jumps to the label "error", which executes some cleanup code. At this point, the gss_buffer_desc in "creds" is not yet initialized, and the cleanup code calls xdr_free() on "creds", which then attempts to free the memory pointed to by the uninitialized "value" member of the gss_buffer_desc.
Exploitation of freeing of invalid pointers is believed to be difficult, and depends on a variety of factors specific to a given malloc implementation.
Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.1. MIT has been provided with proof-of-concept exploit code that causes a denial of service, but it's not clear whether the exploit code is publicly available yet.
This vulnerability occurred as a result of failing to comply with rule EXP33-C of the CERT C Programming Language Secure Coding Standard.
II. ImpactA remote, unauthenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
III. SolutionApply a patch
A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-004. MIT also states that this will be addressed in the upcoming krb5-1.6.2 and krb5-1.5.4 releases.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| Apple Computer, Inc. | Unknown | 18-Jun-2007 |
| AttachmateWRQ, Inc. | Unknown | 18-Jun-2007 |
| Conectiva Inc. | Unknown | 18-Jun-2007 |
| Cray Inc. | Unknown | 18-Jun-2007 |
| CyberSafe, Inc. | Not Vulnerable | 18-Jun-2007 |
| Debian GNU/Linux | Vulnerable | 30-Jul-2007 |
| EMC Corporation | Unknown | 18-Jun-2007 |
| Engarde Secure Linux | Unknown | 18-Jun-2007 |
| F5 Networks, Inc. | Unknown | 18-Jun-2007 |
| Fedora Project | Unknown | 18-Jun-2007 |
| FreeBSD, Inc. | Unknown | 18-Jun-2007 |
| Fujitsu | Unknown | 18-Jun-2007 |
| Gentoo Linux | Unknown | 18-Jun-2007 |
| Hewlett-Packard Company | Unknown | 18-Jun-2007 |
| Hitachi | Unknown | 18-Jun-2007 |
| IBM Corporation | Unknown | 18-Jun-2007 |
| IBM Corporation (zseries) | Unknown | 18-Jun-2007 |
| IBM eServer | Unknown | 18-Jun-2007 |
| Immunix Communications, Inc. | Unknown | 18-Jun-2007 |
| Ingrian Networks, Inc. | Unknown | 18-Jun-2007 |
| Juniper Networks, Inc. | Unknown | 26-Jun-2007 |
| KTH Kerberos Team | Unknown | 18-Jun-2007 |
| Mandriva, Inc. | Unknown | 27-Jun-2007 |
| Microsoft Corporation | Not Vulnerable | 19-Jun-2007 |
| MIT Kerberos Development Team | Unknown | 13-Jun-2007 |
| MontaVista Software, Inc. | Unknown | 18-Jun-2007 |
| NEC Corporation | Unknown | 18-Jun-2007 |
| NetBSD | Unknown | 18-Jun-2007 |
| Network Appliance, Inc. | Not Vulnerable | 27-Jun-2007 |
| Nokia | Unknown | 18-Jun-2007 |
| Novell, Inc. | Unknown | 18-Jun-2007 |
| Openwall GNU/*/Linux | Unknown | 18-Jun-2007 |
| QNX, Software Systems, Inc. | Unknown | 18-Jun-2007 |
| Red Hat, Inc. | Vulnerable | 26-Jun-2007 |
| Silicon Graphics, Inc. | Unknown | 18-Jun-2007 |
| Slackware Linux Inc. | Unknown | 18-Jun-2007 |
| Sony Corporation | Unknown | 18-Jun-2007 |
| Sun Microsystems, Inc. | Vulnerable | 28-Jun-2007 |
| SUSE Linux | Unknown | 18-Jun-2007 |
| The SCO Group | Unknown | 18-Jun-2007 |
| Trustix Secure Linux | Unknown | 18-Jun-2007 |
| Turbolinux | Unknown | 18-Jun-2007 |
| Ubuntu | Unknown | 27-Jun-2007 |
| Unisys | Unknown | 18-Jun-2007 |
| Wind River Systems, Inc. | Unknown | 18-Jun-2007 |
References
https://www.securecoding.cert.org/confluence/display/seccode/EXP33-C.+Do+not+reference+uninitialized+variables
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102914-1
http://secunia.com/advisories/25841/
http://secunia.com/advisories/25800/
http://secunia.com/advisories/26033/
http://docs.info.apple.com/article.html?artnum=306172
Credit
Thanks to MIT for reporting this vulnerability, who in turn credit Wei Wang of McAfee Avert Labs.
This document was written by Will Dormann.
Other Information
| Date Public: | 2007-06-26 |
| Date First Published: | 2007-06-26 |
| Date Last Updated: | 2007-08-08 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2007-2442 |
| NVD-ID(s): | CVE-2007-2442 |
| US-CERT Technical Alerts: | |
| Metric: | 5.40 |
| Document Revision: | 18 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader