Vulnerability Note VU#602625

KTH Kerberos environment variables krb4proxy and KRBCONFDIR may be used insecurely

Original Release date: 19 Dec 2000 | Last revised: 11 Jan 2001

Overview

The environment variables krb4proxy and KRBCONFDIR may be respected by client programs such as login or su, in such a way that local or remote intruders can cause the client program to accept authentication requests from a malicious KDC. The vulnerabilites may be exploited remotely by passing these environment variables through a telnet connection.

Description

KTH Kerberos includes support for two environment variables that may be abused by intruders to gain root privileges. These environment variables may be set in the shell by a local intruder before starting the Kerberos client authentication program in the case of krb4_proxy, or may be passed over the network by a remote intruder via a telnet connection. While the exploitation scenarios differ in some details, both rely on redirecting authentication requests to a malicious Kerberos Key Distribution Center (KDC). This malicious server may respond to requests by always approving the authentication, or by attempting to exploit the buffer overflow described in VU#759265. The malicious server may require access to a corresponding secret key on the client in order for the request to be properly accepted as originating from a legitimate KDC.

KRBCONFDIR environment variable

The first environment variable is KRBCONFDIR, which allows the intruder to cause the client program to use different Kerberos configuration data for authentication. The intruder is able to control which KDC is contacted and supply a new secret key in a malicious srvtab file. Because the intruder controls this new secret key they can have the malicious server construct a properly formatted authentication response using the new secret that will pass the cryptographic checks for verifying the server's identity. The legitimate srvtab secret is not compromised, and the client program must be compiled with Kerberos support. The attacker must have write access to a filesystem mounted on the victim host in order to execute this attack. Local attackers may not exploit this vulnerability by setting the environment variable in their shell because the programs attempt to detect the setuid status and ignore the KRBDCONFDIR variable.

krb4_proxy environment variable

The other variable is krb4_proxy, which allows a client to specify a proxy server for Kerberos client authentication. The client application must be compiled with Kerberos support, and the client system must be configured to use Kerberos authentication. Because the client code is expecting an authentication response proxied form a legitimate server, the intruder must overcome the cryptographic checks for verifying the server's identity in some other way. Access to the legitimate srvtab or weak checking by the client code may allow this.

Depending on the configuration of a client side compilation directive called KLOGIN_PARANOID, the client code may or may not detect that the authentication response is not from a legitimate server. If the buffer overflow described in VU#759265 can be successfully exploited, the setting of this compilation directive does not matter. The attacker does not have to have write access to any local filesystems to exploit this vulnerability.

Impact

KRBCONFDIR environment variable

The KRBCONFDIR environment variable issue may be exploited by local or remote intruders to gain root privileges.

krb4_proxy environment variable

The krb4_proxy environment variable vulnerability may be exploited by local or remote intruders to gain root privileges depending on several other factors such as the KLOGIN_PARANOID compilation directive.

Solution

Apply a patch from your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FreeBSDAffected11 Dec 200014 Dec 2000
NetBSDAffected11 Dec 200011 Jan 2001
AppleNot Affected11 Dec 200014 Dec 2000
Compaq Computer CorporationNot Affected11 Dec 200014 Dec 2000
FujitsuNot Affected11 Dec 200011 Jan 2001
IBMNot Affected11 Dec 200014 Dec 2000
MicrosoftNot Affected11 Dec 200014 Dec 2000
MIT Kerberos Development TeamNot Affected08 Dec 200011 Jan 2001
BSDIUnknown11 Dec 200014 Dec 2000
CalderaUnknown11 Dec 200014 Dec 2000
Data GeneralUnknown11 Dec 200014 Dec 2000
DebianUnknown11 Dec 200014 Dec 2000
Hewlett PackardUnknown11 Dec 200014 Dec 2000
KTH KerberosUnknown-14 Dec 2000
OpenBSDUnknown11 Dec 200014 Dec 2000
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.

This document was written by Cory F Cohen.

Other Information

  • CVE IDs: Unknown
  • Date Public: 09 Dec 2000
  • Date First Published: 19 Dec 2000
  • Date Last Updated: 11 Jan 2001
  • Severity Metric: 14.70
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.