SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#704024

MIT Kerberos 5 administration daemon stack overflow in krb5_klog_syslog()

Overview

The Kerberos administration daemon contains a buffer overflow that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.

I. Description

A vulnerability exists in the way the krb5_klog_syslog() function used by the Kerberos administration daemon handles specially crafted strings. This vulnerability may cause a buffer overflow that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-002:

    krb5_klog_syslog() uses vsprintf() to format text into a fixed-length stack buffer. Format specifiers such as "%s" used in calls to krb5_klog_syslog() may allow formatting of strings of sufficient length to overwrite memory past the end of the stack buffer.

    Certain strings received from the client by the kadmin daemon are not truncated prior to logging. Among these strings is the target principal for the kadmin operation.

    The KDC truncates most client-originated strings prior to logging. One sort of string which is not truncated is a transited-realms string. A malicious KDC sharing a key with the target realm may issue tickets with specially-crafted transited-realms strings to exploit this vulnerability. There are other places where an authenticated user may cause the KDC to log a string which triggers the vulnerability.

Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6. Other server applications that call the krb5_klog_syslog()function provided with MIT krb5 may also be affected.

This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system.

II. Impact

A remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.

III. Solution

Apply Patch

    A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-002. MIT also states that this will be addressed in the upcoming krb5-1.6.1 release.

    Systems Affected
    VendorStatusDate NotifiedDate Updated
    3com, Inc.Unknown4-Apr-2007
    AlcatelUnknown4-Apr-2007
    Apple Computer, Inc.Vulnerable20-Apr-2007
    AttachmateWRQ, Inc.Not Vulnerable4-Apr-2007
    AT&TUnknown4-Apr-2007
    Avaya, Inc.Unknown4-Apr-2007
    Avici Systems, Inc.Unknown4-Apr-2007
    Borderware TechnologiesUnknown4-Apr-2007
    Charlotte's Web NetworksUnknown4-Apr-2007
    Check Point Software TechnologiesUnknown4-Apr-2007
    Chiaro Networks, Inc.Unknown4-Apr-2007
    Cisco Systems, Inc.Not Vulnerable2-Apr-2007
    ClavisterUnknown4-Apr-2007
    Computer AssociatesUnknown4-Apr-2007
    Conectiva Inc.Unknown4-Apr-2007
    Cray Inc.Unknown4-Apr-2007
    CyberSafe, Inc.Not Vulnerable4-Apr-2007
    D-Link Systems, Inc.Unknown4-Apr-2007
    Data Connection, Ltd.Unknown4-Apr-2007
    Debian GNU/LinuxVulnerable4-Apr-2007
    EMC, Inc. (formerly Data General Corporation)Unknown4-Apr-2007
    Engarde Secure LinuxUnknown4-Apr-2007
    EricssonUnknown4-Apr-2007
    eSoft, Inc.Unknown4-Apr-2007
    Extreme NetworksUnknown4-Apr-2007
    F5 Networks, Inc.Unknown4-Apr-2007
    Fedora ProjectUnknown4-Apr-2007
    Force10 Networks, Inc.Not Vulnerable4-Apr-2007
    Fortinet, Inc.Unknown4-Apr-2007
    Foundry Networks, Inc.Unknown4-Apr-2007
    FreeBSD, Inc.Unknown4-Apr-2007
    FujitsuUnknown4-Apr-2007
    Gentoo LinuxVulnerable4-Apr-2007
    Global Technology AssociatesUnknown4-Apr-2007
    Heimdal Kerberos ProjectNot Vulnerable4-Apr-2007
    Hewlett-Packard CompanyUnknown4-Apr-2007
    HitachiNot Vulnerable2-Apr-2007
    HitachiNot Vulnerable4-Apr-2007
    HyperchipUnknown4-Apr-2007
    IBM CorporationNot Vulnerable4-Apr-2007
    IBM Corporation (zseries)Unknown4-Apr-2007
    IBM eServerUnknown4-Apr-2007
    Immunix Communications, Inc.Unknown4-Apr-2007
    Ingrian Networks, Inc.Unknown4-Apr-2007
    Intel CorporationUnknown4-Apr-2007
    Internet Security Systems, Inc.Unknown4-Apr-2007
    IntotoNot Vulnerable4-Apr-2007
    IP FilterUnknown4-Apr-2007
    Juniper Networks, Inc.Not Vulnerable4-Apr-2007
    KTH Kerberos TeamUnknown4-Apr-2007
    Linksys (A division of Cisco Systems)Unknown4-Apr-2007
    Lucent TechnologiesUnknown4-Apr-2007
    Luminous NetworksUnknown4-Apr-2007
    Mandriva, Inc.Vulnerable5-Apr-2007
    Microsoft CorporationNot Vulnerable4-Apr-2007
    MIT Kerberos Development TeamVulnerable3-Apr-2007
    MontaVista Software, Inc.Unknown4-Apr-2007
    Multinet (owned Process Software Corporation)Unknown4-Apr-2007
    Multitech, Inc.Unknown4-Apr-2007
    NEC CorporationNot Vulnerable6-Apr-2007
    NetBSDUnknown4-Apr-2007
    netfilterUnknown4-Apr-2007
    Network Appliance, Inc.Unknown4-Apr-2007
    NextHop Technologies, Inc.Unknown4-Apr-2007
    NokiaUnknown4-Apr-2007
    Nortel Networks, Inc.Unknown4-Apr-2007
    Novell, Inc.Vulnerable5-Apr-2007
    OpenBSDUnknown4-Apr-2007
    Openwall GNU/*/LinuxNot Vulnerable4-Apr-2007
    QNX, Software Systems, Inc.Unknown4-Apr-2007
    Red Hat, Inc.Vulnerable2-Apr-2007
    Redback Networks, Inc.Unknown4-Apr-2007
    Riverstone Networks, Inc.Unknown4-Apr-2007
    rPathVulnerable5-Apr-2007
    Secure Computing Network Security DivisionUnknown4-Apr-2007
    Secureworx, Inc.Unknown4-Apr-2007
    Silicon Graphics, Inc.Unknown4-Apr-2007
    Slackware Linux Inc.Unknown4-Apr-2007
    Sony CorporationUnknown4-Apr-2007
    StonesoftUnknown4-Apr-2007
    Sun Microsystems, Inc.Unknown4-Apr-2007
    SUSE LinuxVulnerable5-Apr-2007
    Symantec, Inc.Not Vulnerable5-Apr-2007
    The SCO GroupUnknown4-Apr-2007
    Trustix Secure LinuxVulnerable6-Apr-2007
    TurbolinuxUnknown4-Apr-2007
    UbuntuVulnerable4-Apr-2007
    UnisysUnknown4-Apr-2007
    Watchguard Technologies, Inc.Unknown4-Apr-2007
    Wind River Systems, Inc.Unknown4-Apr-2007
    ZyXELUnknown4-Apr-2007

    References


    http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt
    http://web.mit.edu/kerberos/advisories/2007-002-patch.txt
    http://web.mit.edu/kerberos/advisories/2007-002-patch.txt.asc
    http://secunia.com/advisories/24757/
    http://secunia.com/advisories/24735/
    http://secunia.com/advisories/24750/
    http://secunia.com/advisories/24740/
    https://secure-support.novell.com/KanisaPlatform/Publishing/150/3618705_f.SAL_Public.html
    http://securitytracker.com/alerts/2007/Apr/1017849.html
    http://docs.info.apple.com/article.html?artnum=305391
    http://secunia.com/advisories/24966/
    http://secunia.com/advisories/25464/
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-102930-1

    Credit

    This issue was reported in MIT krb5 Security Advisory MITKRB5-SA-2007-002. The MIT Kerberos Development Team credits iDefense Labs for reporting this issue.

    This document was written by Chris Taschner.

    Other Information

    Date Public:2007-04-03
    Date First Published:2007-04-03
    Date Last Updated:2007-05-30
    CERT Advisory: 
    CVE-ID(s):CVE-2007-0957
    NVD-ID(s):CVE-2007-0957
    US-CERT Technical Alerts: 
    Metric:16.96
    Document Revision:55

    If you have feedback, comments, or additional information about this vulnerability, please send us email.
     

    		 
    Page Corner Image
    Produced 2007 by US-CERT, a government organization
    Disclaimers and copyright information
    Get Adobe Reader Get Adobe Reader