Vulnerability Note VU#704024

MIT Kerberos 5 administration daemon stack overflow in krb5_klog_syslog()

Original Release date: 03 Apr 2007 | Last revised: 30 May 2007

Overview

The Kerberos administration daemon contains a buffer overflow that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.

Description

A vulnerability exists in the way the krb5_klog_syslog() function used by the Kerberos administration daemon handles specially crafted strings. This vulnerability may cause a buffer overflow that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-002:

    krb5_klog_syslog() uses vsprintf() to format text into a fixed-length stack buffer. Format specifiers such as "%s" used in calls to krb5_klog_syslog() may allow formatting of strings of sufficient length to overwrite memory past the end of the stack buffer.

    Certain strings received from the client by the kadmin daemon are not truncated prior to logging. Among these strings is the target principal for the kadmin operation.

    The KDC truncates most client-originated strings prior to logging. One sort of string which is not truncated is a transited-realms string. A malicious KDC sharing a key with the target realm may issue tickets with specially-crafted transited-realms strings to exploit this vulnerability. There are other places where an authenticated user may cause the KDC to log a string which triggers the vulnerability.

Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6. Other server applications that call the krb5_klog_syslog()function provided with MIT krb5 may also be affected.

This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system.

Impact

A remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.

Solution

Apply Patch

    A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-002. MIT also states that this will be addressed in the upcoming krb5-1.6.1 release.

    Systems Affected (Learn More)

    VendorStatusDate NotifiedDate Updated
    Apple Computer, Inc.Affected04 Apr 200720 Apr 2007
    Debian GNU/LinuxAffected-04 Apr 2007
    Gentoo LinuxAffected21 Mar 200704 Apr 2007
    Mandriva, Inc.Affected04 Apr 200705 Apr 2007
    MIT Kerberos Development TeamAffected-03 Apr 2007
    Novell, Inc.Affected04 Apr 200705 Apr 2007
    Red Hat, Inc.Affected-02 Apr 2007
    rPathAffected-05 Apr 2007
    SUSE LinuxAffected04 Apr 200705 Apr 2007
    Trustix Secure LinuxAffected04 Apr 200706 Apr 2007
    UbuntuAffected21 Mar 200704 Apr 2007
    AttachmateWRQ, Inc.Not Affected21 Mar 200704 Apr 2007
    Cisco Systems, Inc.Not Affected-02 Apr 2007
    CyberSafe, Inc.Not Affected21 Mar 200704 Apr 2007
    Force10 Networks, Inc.Not Affected21 Mar 200704 Apr 2007
    If you are a vendor and your product is affected, let us know.View More »

    CVSS Metrics (Learn More)

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A N/A

    References

    Credit

    This issue was reported in MIT krb5 Security Advisory MITKRB5-SA-2007-002. The MIT Kerberos Development Team credits iDefense Labs for reporting this issue.

    This document was written by Chris Taschner.

    Other Information

    • CVE IDs: CVE-2007-0957
    • Date Public: 03 Apr 2007
    • Date First Published: 03 Apr 2007
    • Date Last Updated: 30 May 2007
    • Severity Metric: 16.96
    • Document Revision: 55

    Feedback

    If you have feedback, comments, or additional information about this vulnerability, please send us email.