Vulnerability Note VU#759265

Kerberos client code buffer overflow in kdc_reply_cipher()

Original Release date: 19 Dec 2000 | Last revised: 11 Jan 2001

Overview

There is a buffer overflow is the kdc_reply_cipher() function of KTH Kerberos. This buffer overflow may be exploitable to allow an attacker to gain root privileges, and can be used to deny service.

Description

The buffer overflow occurs in the parsing of an authentication reply in the kdc_reply_cipher() function of kdc_reply.c. The attacker may supply a packet length greater than that which was actually sent, causing a memcpy() call to overwrite the stack with data in memory adjacent to the packet buffer. It is not clear if the attacker has control of the memory adjacent to this packet buffer, so it is not clear that the vulnerability is exploitable to gain privileges. The vulnerability could however be exploited causing the server to crash. To exploit this vulnerability, the attacker must trick the client into making a request to a malicious KDC. The attacker could accomplish this redirection by defining the krb4_proxy or KRBCONFDIR environment variables as described in VU#602625, or by manipulating DNS information.

Impact

An attacker can cause a service to crash if they can redirect authentication requests to a malicious KDC under their control. While it is not clear if this vulnerability is exploitable to gain privileges, an attacker may be able to execute arbitrary code on a client making an authentication request to the malicious server. Since the client typically executes as root, root privileges may be gained.

Solution

Apply a patch from your vendor.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FreeBSDAffected11 Dec 200014 Dec 2000
AppleNot Affected11 Dec 200014 Dec 2000
Compaq Computer CorporationNot Affected11 Dec 200014 Dec 2000
FujitsuNot Affected11 Dec 200011 Jan 2001
IBMNot Affected11 Dec 200014 Dec 2000
MicrosoftNot Affected11 Dec 200014 Dec 2000
BSDIUnknown11 Dec 200014 Dec 2000
CalderaUnknown11 Dec 200014 Dec 2000
Data GeneralUnknown11 Dec 200014 Dec 2000
DebianUnknown11 Dec 200014 Dec 2000
Hewlett PackardUnknown11 Dec 200014 Dec 2000
KTH KerberosUnknown-14 Dec 2000
NetBSDUnknown11 Dec 200011 Jan 2001
OpenBSDUnknown11 Dec 200014 Dec 2000
RedHatUnknown11 Dec 200014 Dec 2000
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.

This document was written by Cory F Cohen.

Other Information

  • CVE IDs: Unknown
  • Date Public: 09 Dec 2000
  • Date First Published: 19 Dec 2000
  • Date Last Updated: 11 Jan 2001
  • Severity Metric: 3.49
  • Document Revision: 8

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.