Vulnerability Note VU#580124

MIT Kerberos (krb5) krshd and v4rcp do not properly validate setuid() or seteuid() calls

Original Release date: 08 Aug 2006 | Last revised: 24 Aug 2006

Overview

Privilege escalation vulnerabilities in MIT krb5 krshd and v4rcp may allow an authenticated attacker to execute arbitrary code.

Description

The MIT krb 5 krshd and v4rcp programs contain multiple privilege escalation vulnerabilities. MIT krb5 Security Advisory 2006-001 states that the vulnerabilities "...result when the OS implementations of setuid() or seteuid() can fail due to resource exhaustion when changing to an unprivileged user ID."

From MIT krb5 Security Advisory 2006-001:

The following vulnerabilities may result from unchecked calls to setuid(), and are believed to only exist on Linux and AIX:

  • Unchecked calls to setuid() in krshd may allow a local privilege escalation leading to execution of programs as root.
  • Unchecked calls to setuid() in the v4rcp may allow a local privilege escalation leading to reading, writing, or creating files as root. v4rcp is the remote end of a krb4-authenticated rcp operation, but may be executed directly by an attacker, as it is a setuid program.

Impact

An authenticated, remote attacker may be able to execute arbitrary code with root privileges.

Solution

Apply a patch or upgrade
From MIT krb5 Security Advisory 2006-001: "The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes for these vulnerabilities." MIT has also released patches for krb 5-1.5 and krb5-1.4.3. See the Systems Affected section of this document for information about specific vendors.


Disable vulnerable programs

From MIT krb5 Security Advisory 2006-001: "Disable krshd and v4rcp, and remove the setuid bit from the ksu binary and the ftpd binary."

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Gentoo LinuxAffected28 Jul 200616 Aug 2006
IBM CorporationAffected08 Aug 200608 Aug 2006
MIT Kerberos Development TeamAffected-08 Aug 2006
Apple Computer, Inc.Not Affected28 Jul 200618 Aug 2006
AttachmateWRQ, Inc.Not Affected28 Jul 200623 Aug 2006
Juniper Networks, Inc.Not Affected28 Jul 200608 Aug 2006
Conectiva Inc.Unknown28 Jul 200628 Jul 2006
Cray Inc.Unknown28 Jul 200628 Jul 2006
CyberSafe, Inc.Unknown28 Jul 200628 Jul 2006
Debian GNU/LinuxUnknown28 Jul 200624 Aug 2006
EMC, Inc. (formerly Data General Corporation)Unknown28 Jul 200628 Jul 2006
Engarde Secure LinuxUnknown28 Jul 200628 Jul 2006
F5 Networks, Inc.Unknown28 Jul 200628 Jul 2006
Fedora ProjectUnknown28 Jul 200628 Jul 2006
FreeBSD, Inc.Unknown28 Jul 200628 Jul 2006
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

These vulnerabilities were reported by the MIT Kerberos Development Team.

This document was written by Ryan Giobbi and Art Manion.

Other Information

  • CVE IDs: CVE-2006-3083
  • Date Public: 26 Jul 2006
  • Date First Published: 08 Aug 2006
  • Date Last Updated: 24 Aug 2006
  • Severity Metric: 6.91
  • Document Revision: 39

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.