MiT Kerberos Development Team Information for VU#623332

MIT Kerberos 5 contains double free vulnerability in "krb5_recvauth()" function

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

                MIT krb5 Security Advisory 2005-003

Original release: 2005-07-12

Topic: double-free in krb5_recvauth

Severity: CRITICAL

SUMMARY
=======

The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689, VU#623332]

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.

AFFECTED SOFTWARE
=================

* The kpropd daemon in all releases of MIT krb5, up to and including
 krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
 krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also
 vulnerable.

FIXES
=====

* The upcoming krb5-1.4.2 release will have a fix for this
 vulnerability.

* Apply the following patch.  This patch was generated against the
 krb5-1.4.1 release.  It may apply, with some offset, to earlier
 releases.

 The patch may also be found at:

 http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt

 The associated detached PGP signature is at:

 http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc

Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c 3 Sep 2002 01:13:47 -0000 5.38
- --- lib/krb5/krb/recvauth.c 23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
      if ((retval = krb5_read_message(context, fd, &inbuf)))
  return(retval);
      if (strcmp(inbuf.data, sendauth_version)) {
- - krb5_xfree(inbuf.data);
  problem = KRB5_SENDAUTH_BADAUTHVERS;
      }
      krb5_xfree(inbuf.data);
- --- 76,81 ----
***************
*** 90,96 ****
  if ((retval = krb5_read_message(context, fd, &inbuf)))
  return(retval);
  if (appl_version && strcmp(inbuf.data, appl_version)) {
- - krb5_xfree(inbuf.data);
  if (!problem)
  problem = KRB5_SENDAUTH_BADAPPLVERS;
  }
- --- 89,94 ----

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

       http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

       http://web.mit.edu/kerberos/index.html

CVE: CAN-2005-1689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689

CERT: VU#623332
http://www.kb.cert.org/vuls/id/623332

ACKNOWLEDGMENTS
===============

Thanks to Magnus Hagander for reporting this vulnerability.

DETAILS
=======

The helper function revcauth_common() in lib/krb5/krb/recvauth.c has
two locations which call krb5_read_message(), followed by an
unconditional krb5_xfree() of the buffer allocated by
krb5_read_message().  In the cases where the sendauth version string
or the application version string do not match the expected value,
recvauth_common() performs a krb5_xfree() on the buffer allocated by
krb5_read_message() preceding the subsequent unconditional call to
krb5_xfree() on the same buffer.

Since the code paths which call krb5_xfree() twice do so with almost
no intervening code, exploitation of this vulnerability may be more
difficult than exploitation of other double-free vulnerabilities.  No
detailed analysis has been performed on the ease of exploitation.

REVISION HISTORY
================

2005-05-12      original release

Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQtMbD6bDgE/zdoE9AQGmhQP+MYnmuw4+J3yIcQbS3chjZXVLHebTJJtN
jM5+cMBDQfYdpuoQER1Bbaf+7Ky1BoyX2zHfANzdDAiSFRykbFqEqgvdw9jqEFmx
ela1UtOhV5H80BZAzmGV+dVIqGPpWH0f4ArRe18Pbz2wZE0Vadq9VkBTJwHI23En
K3a9oiHA/XM=
=ZS63
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.