|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#580124
MIT Kerberos (krb5) krshd and v4rcp do not properly validate setuid() or seteuid() calls
OverviewPrivilege escalation vulnerabilities in MIT krb5 krshd and v4rcp may allow an authenticated attacker to execute arbitrary code.
I. DescriptionThe MIT krb 5 krshd and v4rcp programs contain multiple privilege escalation vulnerabilities. MIT krb5 Security Advisory 2006-001 states that the vulnerabilities "...result when the OS implementations of setuid() or seteuid() can fail due to resource exhaustion when changing to an unprivileged user ID."
From MIT krb5 Security Advisory 2006-001:
The following vulnerabilities may result from unchecked calls to setuid(), and are believed to only exist on Linux and AIX:
- Unchecked calls to setuid() in krshd may allow a local privilege escalation leading to execution of programs as root.
- Unchecked calls to setuid() in the v4rcp may allow a local privilege escalation leading to reading, writing, or creating files as root. v4rcp is the remote end of a krb4-authenticated rcp operation, but may be executed directly by an attacker, as it is a setuid program.
II. ImpactAn authenticated, remote attacker may be able to execute arbitrary code with root privileges.
III. SolutionApply a patch or upgrade
From MIT krb5 Security Advisory 2006-001: "The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes for these vulnerabilities." MIT has also released patches for krb 5-1.5 and krb5-1.4.3. See the Systems Affected section of this document for information about specific vendors.
Disable vulnerable programs
From MIT krb5 Security Advisory 2006-001: "Disable krshd and v4rcp, and remove the setuid bit from the ksu binary and the ftpd binary."
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| Apple Computer, Inc. | Not Vulnerable | 18-Aug-2006 |
| AttachmateWRQ, Inc. | Not Vulnerable | 23-Aug-2006 |
| Conectiva Inc. | Unknown | 28-Jul-2006 |
| Cray Inc. | Unknown | 28-Jul-2006 |
| CyberSafe, Inc. | Unknown | 28-Jul-2006 |
| Debian GNU/Linux | Unknown | 24-Aug-2006 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 28-Jul-2006 |
| Engarde Secure Linux | Unknown | 28-Jul-2006 |
| F5 Networks, Inc. | Unknown | 28-Jul-2006 |
| Fedora Project | Unknown | 28-Jul-2006 |
| FreeBSD, Inc. | Unknown | 28-Jul-2006 |
| Fujitsu | Unknown | 28-Jul-2006 |
| Gentoo Linux | Vulnerable | 16-Aug-2006 |
| Heimdal Kerberos Project | Unknown | 28-Jul-2006 |
| Hewlett-Packard Company | Unknown | 28-Jul-2006 |
| IBM Corporation | Vulnerable | 8-Aug-2006 |
| IBM Corporation (zseries) | Unknown | 28-Jul-2006 |
| IBM eServer | Unknown | 28-Jul-2006 |
| Immunix Communications, Inc. | Unknown | 28-Jul-2006 |
| Ingrian Networks, Inc. | Unknown | 28-Jul-2006 |
| Juniper Networks, Inc. | Not Vulnerable | 8-Aug-2006 |
| KTH Kerberos Team | Unknown | 28-Jul-2006 |
| Mandriva, Inc. | Unknown | 24-Aug-2006 |
| Microsoft Corporation | Unknown | 28-Jul-2006 |
| MIT Kerberos Development Team | Vulnerable | 8-Aug-2006 |
| MontaVista Software, Inc. | Unknown | 28-Jul-2006 |
| NEC Corporation | Unknown | 28-Jul-2006 |
| NetBSD | Unknown | 28-Jul-2006 |
| Nokia | Unknown | 28-Jul-2006 |
| Novell, Inc. | Unknown | 28-Jul-2006 |
| OpenBSD | Unknown | 28-Jul-2006 |
| Openwall GNU/*/Linux | Unknown | 28-Jul-2006 |
| QNX, Software Systems, Inc. | Unknown | 28-Jul-2006 |
| Red Hat, Inc. | Unknown | 28-Jul-2006 |
| Silicon Graphics, Inc. | Unknown | 28-Jul-2006 |
| Slackware Linux Inc. | Unknown | 28-Jul-2006 |
| Sony Corporation | Unknown | 28-Jul-2006 |
| Sun Microsystems, Inc. | Unknown | 28-Jul-2006 |
| SUSE Linux | Unknown | 28-Jul-2006 |
| The SCO Group | Unknown | 28-Jul-2006 |
| Trustix Secure Linux | Unknown | 28-Jul-2006 |
| Turbolinux | Unknown | 28-Jul-2006 |
| Ubuntu | Unknown | 28-Jul-2006 |
| Unisys | Unknown | 28-Jul-2006 |
| Wind River Systems, Inc. | Unknown | 28-Jul-2006 |
References
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt
http://www.die.net/doc/linux/man/man8/kshd.8.html
http://www.die.net/doc/linux/man/man1/v4rcp.1.html
Credit
These vulnerabilities were reported by the MIT Kerberos Development Team.
This document was written by Ryan Giobbi and Art Manion.
Other Information
| Date Public: | 2006-07-26 |
| Date First Published: | 2006-08-08 |
| Date Last Updated: | 2006-08-24 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2006-3083 |
| NVD-ID(s): | CVE-2006-3083 |
| US-CERT Technical Alerts: | |
| Metric: | 6.91 |
| Document Revision: | 39 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader