Vulnerability Note VU#686862

MIT Kerberos 5 krb5_aname_to_localname() contains several heap overflows

Original Release date: 02 Jun 2004 | Last revised: 28 Jun 2004

Overview

MIT Kerberos 5 contains several heap buffer overflow vulnerabilities in code that translates Kerberos principal names to local UNIX account names. An authenticated, remote attacker could execute arbitrary code on a vulnerable system with root privileges.

Description

MIT Kerberos 5 contains several heap buffer overflow vulnerabilities in a library that translates Kerberos principal names to local UNIX account names. From MIT krb5 Security Advisory 2004-001:

    krb5_aname_to_localname() translates a Kerberos principal name to a local account name, typically a UNIX username.  In the file src/lib/krb5/os/an_to_ln.c, the helper functions aname_replacer(), do_replacement(), and rule_an_to_ln() do not perform adequate checks of the lengths of strings which contain the name of the principal whose authorization is being checked.

    In addition, the implementation of the explicit mapping functionality in krb5_aname_to_localname() consistently writes a zero byte at a location one byte past the end of a heap buffer when handling a principal name matching an explicit mapping.
Further technical details, including a patch against krb5-1.3.3, are available in MIT krb5 Security Advisory 2004-001.

Only kerberos enabled services that enable explicit or rules-based krb5_aname_to_localname() mapping are vulnerable. In the case of the explicit mapping vulnerability, the attacker would need to authenticate using a principal name that is present in the explicit mapping list. In the case of the rules-based mapping vulnerabilities, the attacker would need the ability to create specially crafted principal names in the local realm or in a realm accessible via cross-realm authentication.

Impact

An authenticated, remote attacker could execute arbitrary code on a system using krb5_aname_to_localname() mapping. The vulnerable library is loaded by services that use Kerberos authentication (e.g., telnetd, klogind), and in most cases these services run with root privileges.

Solution

Apply a patch or upgrade

Apply the patch referenced in MIT krb5 Security Advisory 2004-001 or upgrade to MIT krb5-1.3.4. Alternatively, apply the appropriate patch or upgrade as specified by your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected02 Jun 200410 May 2005
ConectivaAffected02 Jun 200403 Jun 2004
DebianAffected02 Jun 200403 Jun 2004
MIT Kerberos Development TeamAffected-02 Jun 2004
tinysofaAffected-03 Jun 2004
Trustix Secure LinuxAffected-03 Jun 2004
Microsoft CorporationNot Affected02 Jun 200403 Jun 2004
SuSE Inc.Not Affected02 Jun 200403 Jun 2004
WRQNot Affected02 Jun 200403 Jun 2004
Cray Inc.Unknown-03 Jun 2004
EMC CorporationUnknown-03 Jun 2004
FreeBSDUnknown-03 Jun 2004
FujitsuUnknown-03 Jun 2004
Guardian Digital Inc. Unknown-03 Jun 2004
Heimdal Kerberos ProjectUnknown-03 Jun 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by the MIT Kerberos Development Team.

This document was written by Art Manion.

Other Information

  • CVE IDs: Unknown
  • Date Public: 02 Jun 2004
  • Date First Published: 02 Jun 2004
  • Date Last Updated: 28 Jun 2004
  • Severity Metric: 6.43
  • Document Revision: 17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.