Vulnerability Note VU#401660

MIT Kerberos (krb5) ftpd and ksu do not properly validate seteuid() calls

Original Release date: 15 Aug 2006 | Last revised: 16 Aug 2006

Overview

Privilege escalation vulnerabilities in MIT krb5 ftpd and ksu may allow an authenticated attacker to execute arbitrary code.

Description

The MIT krb 5 ftpd and ksu programs contain multiple privilege escalation vulnerabilities.

These vulnerabilities are dependent on the host operating system's implementation of the seteuid() system call and result when seteuid() can fail due to resource exhaustion while changing to an unprivileged user ID. Some implementations of seteuid() do not expose the vulnerability.

From MIT krb5 Security Advisory 2006-001:

The following vulnerabilities may result from unchecked calls to seteuid(). These vulnerabilities are not yet known to exist on any operating system:

  • Unchecked calls to seteuid() in ftpd may allow a local privilege escalation leading to reading, writing, or creating files as root.
  • Unchecked calls to seteuid() in the ksu program may allow a local privilege escalation resulting in filling a file with null bytes as root and then deleting it (the "kdestroy" operation).

Impact

An authenticated attacker may be able to execute arbitrary code with root privileges.

Solution

Upgrade
The MIT Kerberos team has released an update to address these issues. See the Systems Affected section of this document for information about specific vendors. Users who compile Kerberos from the original source distribution should see MIT krb5 Security Advisory 2006-001 for more details.


Disable vulnerable programs

From MIT krb5 Security Advisory 2006-001: "Disable krshd and ftpd, and remove the setuid bit from the ksu binary and the v4rcp binary."

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Gentoo LinuxAffected28 Jul 200624 Aug 2006
Mandriva, Inc.Affected28 Jul 200624 Aug 2006
MIT Kerberos Development TeamAffected27 Jul 200608 Aug 2006
Apple Computer, Inc.Not Affected28 Jul 200618 Aug 2006
AttachmateWRQ, Inc.Not Affected28 Jul 200623 Aug 2006
IBM CorporationNot Affected28 Jul 200608 Aug 2006
Juniper Networks, Inc.Not Affected28 Jul 200608 Aug 2006
Conectiva Inc.Unknown28 Jul 200628 Jul 2006
Cray Inc.Unknown28 Jul 200628 Jul 2006
CyberSafe, Inc.Unknown28 Jul 200628 Jul 2006
Debian GNU/LinuxUnknown28 Jul 200624 Aug 2006
EMC, Inc. (formerly Data General Corporation)Unknown28 Jul 200628 Jul 2006
Engarde Secure LinuxUnknown28 Jul 200628 Jul 2006
F5 Networks, Inc.Unknown28 Jul 200628 Jul 2006
Fedora ProjectUnknown28 Jul 200628 Jul 2006
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to the MIT Kerberos Team for reporting this issue. The MIT Kerberos Team in turn thanks Michael Calmer and Marcus Meissner at SUSE and Shiva Persaud at IBM for providing information about AIX.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2006-3084
  • Date Public: 26 Jul 2006
  • Date First Published: 15 Aug 2006
  • Date Last Updated: 16 Aug 2006
  • Severity Metric: 2.33
  • Document Revision: 37

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.