The MIT Kerberos administration daemon (kadmind) can free an uninitialized pointer, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.
The gssrpc__svcauth_gssapi() function used by the Kerberos administration daemon can free an uninitialized pointer when receiving a specially crafted RPC request. This vulnerability may cause memory corruption that could allow a remote, unauthenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-004:
The function gssrpc__svcauth_gssapi() in src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds" of type auth_gssapi_creds. This type includes a gss_buffer_desc (which includes a pointer to void used as a pointer to a buffer of bytes). If gssrpc__svcauth_gssapi() receives an RPC credential with a length of zero, it jumps to the label "error", which executes some cleanup code. At this point, the gss_buffer_desc in "creds" is not yet initialized, and the cleanup code calls xdr_free() on "creds", which then attempts to free the memory pointed to by the uninitialized "value" member of the gss_buffer_desc.
A remote, unauthenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
Apply a patch
Thanks to MIT for reporting this vulnerability, who in turn credit Wei Wang of McAfee Avert Labs.
|Date First Published:||2007-06-26|
|Date Last Updated:||2007-08-08 16:47 UTC|