Vulnerability Note VU#759265
Kerberos client code buffer overflow in kdc_reply_cipher()
Overview
There is a buffer overflow is the kdc_reply_cipher() function of KTH Kerberos. This buffer overflow may be exploitable to allow an attacker to gain root privileges, and can be used to deny service.
Description
The buffer overflow occurs in the parsing of an authentication reply in the kdc_reply_cipher() function of kdc_reply.c. The attacker may supply a packet length greater than that which was actually sent, causing a memcpy() call to overwrite the stack with data in memory adjacent to the packet buffer. It is not clear if the attacker has control of the memory adjacent to this packet buffer, so it is not clear that the vulnerability is exploitable to gain privileges. The vulnerability could however be exploited causing the server to crash. To exploit this vulnerability, the attacker must trick the client into making a request to a malicious KDC. The attacker could accomplish this redirection by defining the krb4_proxy or KRBCONFDIR environment variables as described in VU#602625, or by manipulating DNS information. |
Impact
An attacker can cause a service to crash if they can redirect authentication requests to a malicious KDC under their control. While it is not clear if this vulnerability is exploitable to gain privileges, an attacker may be able to execute arbitrary code on a client making an authentication request to the malicious server. Since the client typically executes as root, root privileges may be gained. |
Solution
Apply a patch from your vendor. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| FreeBSD | Affected | 11 Dec 2000 | 14 Dec 2000 |
| Apple | Not Affected | 11 Dec 2000 | 14 Dec 2000 |
| Compaq Computer Corporation | Not Affected | 11 Dec 2000 | 14 Dec 2000 |
| Fujitsu | Not Affected | 11 Dec 2000 | 11 Jan 2001 |
| IBM | Not Affected | 11 Dec 2000 | 14 Dec 2000 |
| Microsoft | Not Affected | 11 Dec 2000 | 14 Dec 2000 |
| BSDI | Unknown | 11 Dec 2000 | 14 Dec 2000 |
| Caldera | Unknown | 11 Dec 2000 | 14 Dec 2000 |
| Data General | Unknown | 11 Dec 2000 | 14 Dec 2000 |
| Debian | Unknown | 11 Dec 2000 | 14 Dec 2000 |
| Hewlett Packard | Unknown | 11 Dec 2000 | 14 Dec 2000 |
| KTH Kerberos | Unknown | - | 14 Dec 2000 |
| NetBSD | Unknown | 11 Dec 2000 | 11 Jan 2001 |
| OpenBSD | Unknown | 11 Dec 2000 | 14 Dec 2000 |
| RedHat | Unknown | 11 Dec 2000 | 14 Dec 2000 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
Credit
Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.
This document was written by Cory F Cohen.
Other Information
- CVE IDs: Unknown
- Date Public: 09 Dec 2000
- Date First Published: 19 Dec 2000
- Date Last Updated: 11 Jan 2001
- Severity Metric: 3.49
- Document Revision: 8
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.