|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#401660
MIT Kerberos (krb5) ftpd and ksu do not properly validate seteuid() calls
OverviewPrivilege escalation vulnerabilities in MIT krb5 ftpd and ksu may allow an authenticated attacker to execute arbitrary code.
I. DescriptionThe MIT krb 5 ftpd and ksu programs contain multiple privilege escalation vulnerabilities.
These vulnerabilities are dependent on the host operating system's implementation of the seteuid() system call and result when seteuid() can fail due to resource exhaustion while changing to an unprivileged user ID. Some implementations of seteuid() do not expose the vulnerability.
From MIT krb5 Security Advisory 2006-001:
The following vulnerabilities may result from unchecked calls to seteuid(). These vulnerabilities are not yet known to exist on any operating system:
- Unchecked calls to seteuid() in ftpd may allow a local privilege escalation leading to reading, writing, or creating files as root.
- Unchecked calls to seteuid() in the ksu program may allow a local privilege escalation resulting in filling a file with null bytes as root and then deleting it (the "kdestroy" operation).
II. ImpactAn authenticated attacker may be able to execute arbitrary code with root privileges.
III. SolutionUpgrade
The MIT Kerberos team has released an update to address these issues. See the Systems Affected section of this document for information about specific vendors. Users who compile Kerberos from the original source distribution should see MIT krb5 Security Advisory 2006-001 for more details.
Disable vulnerable programs
From MIT krb5 Security Advisory 2006-001: "Disable krshd and ftpd, and remove the setuid bit from the ksu binary and the v4rcp binary."
Systems Affected
| Vendor | Status | Date Updated |
| Apple Computer, Inc. | Not Vulnerable | 18-Aug-2006 |
| AttachmateWRQ, Inc. | Not Vulnerable | 23-Aug-2006 |
| Conectiva Inc. | Unknown | 28-Jul-2006 |
| Cray Inc. | Unknown | 28-Jul-2006 |
| CyberSafe, Inc. | Unknown | 28-Jul-2006 |
| Debian GNU/Linux | Unknown | 24-Aug-2006 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 28-Jul-2006 |
| Engarde Secure Linux | Unknown | 28-Jul-2006 |
| F5 Networks, Inc. | Unknown | 28-Jul-2006 |
| Fedora Project | Unknown | 28-Jul-2006 |
| FreeBSD, Inc. | Unknown | 28-Jul-2006 |
| Fujitsu | Unknown | 28-Jul-2006 |
| Gentoo Linux | Vulnerable | 24-Aug-2006 |
| Heimdal Kerberos Project | Unknown | 28-Jul-2006 |
| Hewlett-Packard Company | Unknown | 28-Jul-2006 |
| Hitachi | Unknown | 28-Jul-2006 |
| IBM Corporation | Not Vulnerable | 8-Aug-2006 |
| IBM Corporation (zseries) | Unknown | 28-Jul-2006 |
| IBM eServer | Unknown | 28-Jul-2006 |
| Immunix Communications, Inc. | Unknown | 28-Jul-2006 |
| Ingrian Networks, Inc. | Unknown | 28-Jul-2006 |
| Juniper Networks, Inc. | Not Vulnerable | 8-Aug-2006 |
| KTH Kerberos Team | Unknown | 28-Jul-2006 |
| Mandriva, Inc. | Vulnerable | 24-Aug-2006 |
| Microsoft Corporation | Unknown | 28-Jul-2006 |
| MIT Kerberos Development Team | Vulnerable | 8-Aug-2006 |
| MontaVista Software, Inc. | Unknown | 28-Jul-2006 |
| NEC Corporation | Unknown | 28-Jul-2006 |
| NetBSD | Unknown | 28-Jul-2006 |
| Nokia | Unknown | 28-Jul-2006 |
| Novell, Inc. | Unknown | 28-Jul-2006 |
| OpenBSD | Unknown | 28-Jul-2006 |
| Openwall GNU/*/Linux | Unknown | 28-Jul-2006 |
| QNX, Software Systems, Inc. | Unknown | 28-Jul-2006 |
| Red Hat, Inc. | Unknown | 28-Jul-2006 |
| Silicon Graphics, Inc. | Unknown | 28-Jul-2006 |
| Slackware Linux Inc. | Unknown | 28-Jul-2006 |
| Sony Corporation | Unknown | 28-Jul-2006 |
| Sun Microsystems, Inc. | Unknown | 28-Jul-2006 |
| SUSE Linux | Unknown | 28-Jul-2006 |
| The SCO Group | Unknown | 28-Jul-2006 |
| Trustix Secure Linux | Unknown | 28-Jul-2006 |
| Turbolinux | Unknown | 28-Jul-2006 |
| Ubuntu | Unknown | 28-Jul-2006 |
| Unisys | Unknown | 28-Jul-2006 |
| Wind River Systems, Inc. | Unknown | 28-Jul-2006 |
References
http://www.kb.cert.org/vuls/id/580124
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt
Credit
Thanks to the MIT Kerberos Team for reporting this issue. The MIT Kerberos Team in turn thanks Michael Calmer and Marcus Meissner at SUSE and Shiva Persaud at IBM for providing information about AIX.
This document was written by Ryan Giobbi.
Other Information
| Date Public | 07/26/2006 |
| Date First Published | 08/15/2006 04:25:29 PM |
| Date Last Updated | 08/16/2006 |
| CERT Advisory | |
| CVE Name | CVE-2006-3084 |
| US-CERT Technical Alerts | |
| Metric | 2.33 |
| Document Revision | 37 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|