SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#686862

MIT Kerberos 5 krb5_aname_to_localname() contains several heap overflows

Overview

MIT Kerberos 5 contains several heap buffer overflow vulnerabilities in code that translates Kerberos principal names to local UNIX account names. An authenticated, remote attacker could execute arbitrary code on a vulnerable system with root privileges.

I. Description

MIT Kerberos 5 contains several heap buffer overflow vulnerabilities in a library that translates Kerberos principal names to local UNIX account names. From MIT krb5 Security Advisory 2004-001:

    krb5_aname_to_localname() translates a Kerberos principal name to a local account name, typically a UNIX username.  In the file src/lib/krb5/os/an_to_ln.c, the helper functions aname_replacer(), do_replacement(), and rule_an_to_ln() do not perform adequate checks of the lengths of strings which contain the name of the principal whose authorization is being checked.

    In addition, the implementation of the explicit mapping functionality in krb5_aname_to_localname() consistently writes a zero byte at a location one byte past the end of a heap buffer when handling a principal name matching an explicit mapping.
Further technical details, including a patch against krb5-1.3.3, are available in MIT krb5 Security Advisory 2004-001.

Only kerberos enabled services that enable explicit or rules-based krb5_aname_to_localname() mapping are vulnerable. In the case of the explicit mapping vulnerability, the attacker would need to authenticate using a principal name that is present in the explicit mapping list. In the case of the rules-based mapping vulnerabilities, the attacker would need the ability to create specially crafted principal names in the local realm or in a realm accessible via cross-realm authentication.

II. Impact

An authenticated, remote attacker could execute arbitrary code on a system using krb5_aname_to_localname() mapping. The vulnerable library is loaded by services that use Kerberos authentication (e.g., telnetd, klogind), and in most cases these services run with root privileges.

III. Solution

Apply a patch or upgrade


Apply the patch referenced in MIT krb5 Security Advisory 2004-001 or upgrade to MIT krb5-1.3.4. Alternatively, apply the appropriate patch or upgrade as specified by your vendor.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Vulnerable10-May-2005
ConectivaVulnerable3-Jun-2004
Cray Inc.Unknown3-Jun-2004
DebianVulnerable3-Jun-2004
EMC CorporationUnknown3-Jun-2004
FreeBSDUnknown3-Jun-2004
FujitsuUnknown3-Jun-2004
Guardian Digital Inc. Unknown3-Jun-2004
Heimdal Kerberos ProjectUnknown3-Jun-2004
Hewlett-Packard CompanyUnknown3-Jun-2004
HitachiUnknown3-Jun-2004
IBMUnknown3-Jun-2004
Ingrian NetworksUnknown3-Jun-2004
Juniper NetworksUnknown3-Jun-2004
KTH Kerberos Development TeamUnknown3-Jun-2004
MandrakeSoftUnknown3-Jun-2004
Microsoft CorporationNot Vulnerable3-Jun-2004
MIT Kerberos Development TeamVulnerable2-Jun-2004
MontaVista SoftwareUnknown3-Jun-2004
NEC CorporationUnknown3-Jun-2004
NetBSDUnknown3-Jun-2004
NokiaUnknown3-Jun-2004
NovellUnknown3-Jun-2004
OpenBSDUnknown3-Jun-2004
Openwall GNU/*/LinuxUnknown3-Jun-2004
Red Hat Inc.Unknown3-Jun-2004
SCOUnknown3-Jun-2004
SGIUnknown3-Jun-2004
Sony CorporationUnknown3-Jun-2004
Sun Microsystems Inc.Unknown3-Jun-2004
SuSE Inc.Not Vulnerable3-Jun-2004
tinysofaVulnerable3-Jun-2004
Trustix Secure LinuxVulnerable3-Jun-2004
TurboLinuxUnknown3-Jun-2004
UnisysUnknown3-Jun-2004
Wind River Systems Inc.Unknown3-Jun-2004
WirexUnknown3-Jun-2004
WRQNot Vulnerable3-Jun-2004

References


http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-001-an_to_ln.txt
http://secunia.com/advisories/11753/
http://www.securitytracker.com/alerts/2004/Jun/1010356.html

Credit

This vulnerability was reported by the MIT Kerberos Development Team.

This document was written by Art Manion.

Other Information

Date Public:2004-06-02
Date First Published:2004-06-02
Date Last Updated:2004-06-28
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:6.43
Document Revision:17

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader