|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#365313
MIT Kerberos kadmind RPC library gssrpc__svcauth_unix() integer conversion error
OverviewThe MIT Kerberos administration daemon (kadmind) contains an integer conversion error vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.
I. DescriptionThe gssrpc__svcauth_unix() function used by the Kerberos administration daemon contains an integer conversion error. This vulnerability may cause a stack buffer overflow that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-004:
The function gssrpc__svcauth_unix() in src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from IXDR_GET_U_LONG into a signed integer variable "str_len". Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME, which will always be true of "str_len" is negative, which can happen when a large unsigned integer is converted to a signed integer. Once the length check succeeds, gssrpc__svcauth_unix() calls memmove() with a length of "str_len" with the target in a stack buffer.
This vulnerability is believed to be difficult to exploit because the memmove() implementation receives a very large number (a negative integer converted to a large unsigned value), which will almost certainly cause some sort of memory access fault prior to returning. This probably avoids any usage of the corrupted return address in the overwritten stack frame. Note that some (perhaps unlikely) memmove() implementations may call other procedures and thus may be vulnerable to corrupted return addresses.
Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.1. Third-party applications using the MIT krb5 RPC library or other RPC libraries derived from SunRPC may also be vulnerable. MIT has been provided with proof-of-concept exploit code that causes a denial of service, but it's not clear whether the exploit code is publicly available yet.
This vulnerability occurred as a result of failing to comply with rule INT31-C of the CERT C Programming Language Secure Coding Standard.
II. ImpactA remote, unauthenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
III. SolutionApply a patch
A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-004. MIT also states that this will be addressed in the upcoming krb5-1.6.2 and krb5-1.5.4 releases. Please check with your vendor for third-party product updates.
Systems Affected
| Vendor | Status | Date Updated |
|---|
| Apple Computer, Inc. | Unknown | 18-Jun-2007 |
| AttachmateWRQ, Inc. | Unknown | 18-Jun-2007 |
| Conectiva Inc. | Unknown | 18-Jun-2007 |
| Cray Inc. | Unknown | 18-Jun-2007 |
| CyberSafe, Inc. | Not Vulnerable | 18-Jun-2007 |
| Debian GNU/Linux | Vulnerable | 30-Jul-2007 |
| EMC Corporation | Unknown | 18-Jun-2007 |
| Engarde Secure Linux | Unknown | 18-Jun-2007 |
| F5 Networks, Inc. | Unknown | 18-Jun-2007 |
| Fedora Project | Unknown | 18-Jun-2007 |
| FreeBSD, Inc. | Unknown | 18-Jun-2007 |
| Fujitsu | Unknown | 18-Jun-2007 |
| Gentoo Linux | Unknown | 18-Jun-2007 |
| Hewlett-Packard Company | Unknown | 18-Jun-2007 |
| Hitachi | Unknown | 18-Jun-2007 |
| IBM Corporation | Unknown | 18-Jun-2007 |
| IBM Corporation (zseries) | Unknown | 18-Jun-2007 |
| IBM eServer | Unknown | 18-Jun-2007 |
| Immunix Communications, Inc. | Unknown | 18-Jun-2007 |
| Ingrian Networks, Inc. | Unknown | 18-Jun-2007 |
| Juniper Networks, Inc. | Not Vulnerable | 26-Jun-2007 |
| KTH Kerberos Team | Unknown | 18-Jun-2007 |
| Mandriva, Inc. | Vulnerable | 27-Jun-2007 |
| Microsoft Corporation | Not Vulnerable | 19-Jun-2007 |
| MIT Kerberos Development Team | Unknown | 13-Jun-2007 |
| MontaVista Software, Inc. | Unknown | 18-Jun-2007 |
| NEC Corporation | Unknown | 18-Jun-2007 |
| NetBSD | Unknown | 18-Jun-2007 |
| Network Appliance, Inc. | Not Vulnerable | 27-Jun-2007 |
| Nokia | Unknown | 18-Jun-2007 |
| Novell, Inc. | Unknown | 18-Jun-2007 |
| Openwall GNU/*/Linux | Unknown | 18-Jun-2007 |
| QNX, Software Systems, Inc. | Unknown | 18-Jun-2007 |
| Red Hat, Inc. | Vulnerable | 26-Jun-2007 |
| Silicon Graphics, Inc. | Unknown | 18-Jun-2007 |
| Slackware Linux Inc. | Unknown | 18-Jun-2007 |
| Sony Corporation | Unknown | 18-Jun-2007 |
| Sun Microsystems, Inc. | Not Vulnerable | 28-Jun-2007 |
| SUSE Linux | Unknown | 18-Jun-2007 |
| The SCO Group | Unknown | 18-Jun-2007 |
| Trustix Secure Linux | Unknown | 18-Jun-2007 |
| Turbolinux | Unknown | 18-Jun-2007 |
| Ubuntu | Vulnerable | 27-Jun-2007 |
| Unisys | Unknown | 18-Jun-2007 |
| Wind River Systems, Inc. | Unknown | 18-Jun-2007 |
References
https://www.securecoding.cert.org/confluence/display/seccode/INT31-C.+Ensure+that+integer+conversions+do+not+result+in+lost+or+misinterpreted+data
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt
http://www.ubuntu.com/usn/usn-477-1
http://www.mandriva.com/security/advisories?name=MDKSA-2007:137
http://secunia.com/advisories/25800/
http://secunia.com/advisories/26033/
http://docs.info.apple.com/article.html?artnum=306172
Credit
Thanks to MIT for reporting this vulnerability, who in turn credit Wei Wang of McAfee Avert Labs.
This document was written by Will Dormann.
Other Information
| Date Public | 06/26/2007 |
| Date First Published | 06/26/2007 02:59:11 PM |
| Date Last Updated | 08/08/2007 |
| CERT Advisory | |
| CVE Name | CVE-2007-2443 |
| US-CERT Technical Alerts | |
| Metric | 5.40 |
| Document Revision | 12 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader