SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#602625

KTH Kerberos environment variables krb4proxy and KRBCONFDIR may be used insecurely

Overview

The environment variables krb4proxy and KRBCONFDIR may be respected by client programs such as login or su, in such a way that local or remote intruders can cause the client program to accept authentication requests from a malicious KDC. The vulnerabilites may be exploited remotely by passing these environment variables through a telnet connection.

I. Description

KTH Kerberos includes support for two environment variables that may be abused by intruders to gain root privileges. These environment variables may be set in the shell by a local intruder before starting the Kerberos client authentication program in the case of krb4_proxy, or may be passed over the network by a remote intruder via a telnet connection. While the exploitation scenarios differ in some details, both rely on redirecting authentication requests to a malicious Kerberos Key Distribution Center (KDC). This malicious server may respond to requests by always approving the authentication, or by attempting to exploit the buffer overflow described in VU#759265. The malicious server may require access to a corresponding secret key on the client in order for the request to be properly accepted as originating from a legitimate KDC.

KRBCONFDIR environment variable

The first environment variable is KRBCONFDIR, which allows the intruder to cause the client program to use different Kerberos configuration data for authentication. The intruder is able to control which KDC is contacted and supply a new secret key in a malicious srvtab file. Because the intruder controls this new secret key they can have the malicious server construct a properly formatted authentication response using the new secret that will pass the cryptographic checks for verifying the server's identity. The legitimate srvtab secret is not compromised, and the client program must be compiled with Kerberos support. The attacker must have write access to a filesystem mounted on the victim host in order to execute this attack. Local attackers may not exploit this vulnerability by setting the environment variable in their shell because the programs attempt to detect the setuid status and ignore the KRBDCONFDIR variable.

krb4_proxy environment variable

The other variable is krb4_proxy, which allows a client to specify a proxy server for Kerberos client authentication. The client application must be compiled with Kerberos support, and the client system must be configured to use Kerberos authentication. Because the client code is expecting an authentication response proxied form a legitimate server, the intruder must overcome the cryptographic checks for verifying the server's identity in some other way. Access to the legitimate srvtab or weak checking by the client code may allow this.

Depending on the configuration of a client side compilation directive called KLOGIN_PARANOID, the client code may or may not detect that the authentication response is not from a legitimate server. If the buffer overflow described in VU#759265 can be successfully exploited, the setting of this compilation directive does not matter. The attacker does not have to have write access to any local filesystems to exploit this vulnerability.

II. Impact

KRBCONFDIR environment variable


The KRBCONFDIR environment variable issue may be exploited by local or remote intruders to gain root privileges.

krb4_proxy environment variable

The krb4_proxy environment variable vulnerability may be exploited by local or remote intruders to gain root privileges depending on several other factors such as the KLOGIN_PARANOID compilation directive.

III. Solution

Apply a patch from your vendor.

Systems Affected

VendorStatusDate NotifiedDate Updated
AppleNot Vulnerable14-Dec-2000
BSDIUnknown14-Dec-2000
CalderaUnknown14-Dec-2000
Compaq Computer CorporationNot Vulnerable14-Dec-2000
Data GeneralUnknown14-Dec-2000
DebianUnknown14-Dec-2000
FreeBSDVulnerable14-Dec-2000
FujitsuNot Vulnerable11-Jan-2001
Hewlett PackardUnknown14-Dec-2000
IBMNot Vulnerable14-Dec-2000
KTH KerberosUnknown14-Dec-2000
MicrosoftNot Vulnerable14-Dec-2000
MIT Kerberos Development TeamNot Vulnerable11-Jan-2001
NetBSDVulnerable11-Jan-2001
OpenBSDUnknown14-Dec-2000
RedHatUnknown14-Dec-2000
SGIUnknown14-Dec-2000
SonyUnknown14-Dec-2000
SunUnknown14-Dec-2000
Washington UniversityUnknown14-Dec-2000

References

http://www.securityfocus.com/bid/2090
http://www.securityfocus.com/bid/2092

Credit

Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.

This document was written by Cory F Cohen.

Other Information

Date Public:2000-12-09
Date First Published:2000-12-19
Date Last Updated:2001-01-11
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Severity Metric:14.70
Document Revision:11

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2000 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader