Vulnerability Note VU#38336

MIT Kerberos 5 ksu may allow either the '-r' or '-l' time-interval parameter to overflow the stack with the characters ''d', 'h', 'm', or 's'

Original Release date: 19 Oct 2000 | Last revised: 11 Apr 2003



From the reporter:

Time-interval parsing for the "-r" and "-l" command-line options calls a library routine which uses sscanf("%d%[d]") and passes the address of an automatic int variable to correspond to the second %-sequence. But the %[ sequence needs an arbitrarily large string buffer. So it's possible to get an arbitrary-length string consisting entirely of the letter 'd' written to the stack. Other sscanf formats it tries to use will also allow a string of 'h', 'm', or 's' characters to be written, with all characters the same in any string.


Local user may be able to crash the machine by overwriting the stack with the characters 'd', 'h', 'm', or 's'


Systems Affected (Learn More)

No information available. If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A


  • None


This document was written by Jeff S Havrilla.

Other Information

  • CVE IDs: CVE-2000-0392
  • CERT Advisory: CA-2000-06
  • Date Public: 16 May 2000
  • Date First Published: 19 Oct 2000
  • Date Last Updated: 11 Apr 2003
  • Document Revision: 7


If you have feedback, comments, or additional information about this vulnerability, please send us email.