MIT Kerberos Development Team Information for VU#192995

Integer overflow in xdr_array() function when deserializing the XDR stream

Status

Affected

Vendor Statement

Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt

The patch is available directly:

http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt

The following detached PGP signature should be used to verify the authenticity and integrity of the patch:

http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

MIT krb5 Security Advisory 2002-001

2002-08-02

Topic: Remote root vulnerability in MIT krb5 admin system

Severity: Remote user may be able to gain root access to a KDC host.

SUMMARY
=======

There is an integer overflow bug in the SUNRPC-derived RPC library
used by the Kerberos 5 administration system that could be exploited
to gain unauthorized root access to a KDC host. It is believed that
the attacker needs to be able to authenticate to the kadmin daemon for
this attack to be successful. No exploits are known to exist yet.

IMPACT
======

A remote attacker can potentially execute arbitrary code on the KDC
with the privileges of the user running the kadmin daemon (usually
root). This can lead to compromise of the Kerberos database.

AFFECTED SOFTWARE
=================

All releases of MIT Kerberos 5, up to and including krb5-1.2.5.

FIXES
=====

Apply the following patch to src/lib/rpc/xdr_array.c:

Index: xdr_array.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/rpc/xdr_array.c,v
retrieving revision 1.5
diff -c -r1.5 xdr_array.c
*** xdr_array.c 1998/02/14 02:27:23 1.5
- --- xdr_array.c 2002/08/02 17:25:05
***************
*** 75,81 ****
return (FALSE);
}
c = *sizep;
! if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
return (FALSE);
}
nodesize = c * elsize;
- --- 75,82 ----
return (FALSE);
}
c = *sizep;
! if ((c > maxsize || c > LASTUNSIGNED / elsize)
! && (xdrs->x_op != XDR_FREE)) {
return (FALSE);
}
nodesize = c * elsize;

and rebuild your tree. The patch was generated against krb5-1.2.5;
patches to other releases may apply with some offset.

This patch may also be found at:

http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc

This announcement and code patches related to it may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/www/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/www/index.html

ACKNOWLEDGMENTS
===============

Thanks to ISS for discovery of the vulnerability.

Thanks to Jeffrey Hutzelman for assistance in discovering the
particulars of this bug.

DETAILS
=======

The xdr_array() decoder computes the value of the NODESIZE variable in
a way that can lead to integer overflow. An attacker can construct an
XDR encoding that will take advantage of this integer overflow in
order to overflow the allocated heap buffer, depending on the
specifics of the caller of the xdr_array() function.

The uses of xdr_array() in the kadm5 library, which implements the
Kerberos 5 adminstration protocol, are unsafe in an environment where
this bug exists. A remote user may be able to use the buffer overflow
to execute arbitrary code on the KDC host, possibly leading to
unauthorized root access. It is believed that the remote user must
first successfully authenticate to the kadmin daemon in order to
exercise this vulnerability, though the user may not need to posess
any special privileges.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)

iQCVAwUBPUrNEqbDgE/zdoE9AQHSPgQAlGS7HO8TZ1BHwek+niF5hA7exEt9Z8IA
fvxGpqirHciJQTfmBUiJhXhCTqosFgftQzt9KyvXmfMS3InZxAEmB7ahkevuBYkO
FvfWyA3Ew8J3bGhBJis1xTMFebb1N0crDH3rRjUGZApQ7uJNZ+9nQo41+P0+z3uD
yqpAbP9HTnw=
=MqNV
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.