search menu icon-carat-right cmu-wordmark

CERT Coordination Center

MIT Kerberos (krb5) ftpd and ksu do not properly validate seteuid() calls

Vulnerability Note VU#401660

Original Release Date: 2006-08-15 | Last Revised: 2006-08-16

Overview

Privilege escalation vulnerabilities in MIT krb5 ftpd and ksu may allow an authenticated attacker to execute arbitrary code.

Description

The MIT krb 5 ftpd and ksu programs contain multiple privilege escalation vulnerabilities.

These vulnerabilities are dependent on the host operating system's implementation of the seteuid() system call and result when seteuid() can fail due to resource exhaustion while changing to an unprivileged user ID. Some implementations of seteuid() do not expose the vulnerability.

From MIT krb5 Security Advisory 2006-001:

The following vulnerabilities may result from unchecked calls to seteuid(). These vulnerabilities are not yet known to exist on any operating system:

    • Unchecked calls to seteuid() in ftpd may allow a local privilege escalation leading to reading, writing, or creating files as root.
    • Unchecked calls to seteuid() in the ksu program may allow a local privilege escalation resulting in filling a file with null bytes as root and then deleting it (the "kdestroy" operation).

Impact

An authenticated attacker may be able to execute arbitrary code with root privileges.

Solution

UpgradeThe MIT Kerberos team has released an update to address these issues. See the Systems Affected section of this document for information about specific vendors. Users who compile Kerberos from the original source distribution should see MIT krb5 Security Advisory 2006-001 for more details.


Disable vulnerable programs

From MIT krb5 Security Advisory 2006-001: "Disable krshd and ftpd, and remove the setuid bit from the ksu binary and the v4rcp binary."

Vendor Information

401660
 
Affected   Unknown   Unaffected

Gentoo Linux

Notified:  July 28, 2006 Updated:  August 24, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See Gentoo Linux Security Advisory GLSA 200608-15 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MIT Kerberos Development Team

Notified:  July 27, 2006 Updated:  August 08, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MIT krb5 Security Advisory 2006-001.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva, Inc.

Notified:  July 28, 2006 Updated:  August 24, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See Mandrivia advisory MDKSA-2006:139 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer, Inc.

Notified:  July 28, 2006 Updated:  August 18, 2006

Status

  Not Vulnerable

Vendor Statement

Mac OS X and Mac OS X Server are not susceptible to the issues described in this vulnerability note.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

AttachmateWRQ, Inc.

Notified:  July 28, 2006 Updated:  August 23, 2006

Status

  Not Vulnerable

Vendor Statement

No versions of the Attachmate Reflection Kerberos Client are subject to these privilege escalation vulnerabilities. The Reflection Kerberos Client is not based on the MIT code base and runs only on Microsoft Windows operating systems.

For the latest Attachmate security update information, Attachmate recommends you regularly check the Security Updates and Reflection web page at: http://support.wrq.com/techdocs/1708.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation

Notified:  July 28, 2006 Updated:  August 08, 2006

Status

  Not Vulnerable

Vendor Statement

Kerberos is available for AIX via Network Authentication Service. Network Authentication Service is not affected by the issues mentioned in CERT Vulnerability Notes VU#580124 (CVE-2006-3083) and VU#401660 (CVE-2006-3084).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  July 28, 2006 Updated:  August 08, 2006

Status

  Not Vulnerable

Vendor Statement

Juniper Networks products are not susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CyberSafe, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux

Notified:  July 28, 2006 Updated:  August 24, 2006

Status

  Unknown

Vendor Statement

See Debian Security Advisory DSA-1146-1 for more details.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation)

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Heimdal Kerberos Project

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

KTH Kerberos Team

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  July 28, 2006 Updated:  July 28, 2006

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 46 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to the MIT Kerberos Team for reporting this issue. The MIT Kerberos Team in turn thanks Michael Calmer and Marcus Meissner at SUSE and Shiva Persaud at IBM for providing information about AIX.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2006-3084
Severity Metric: 2.33
Date Public: 2006-07-26
Date First Published: 2006-08-15
Date Last Updated: 2006-08-16 13:36 UTC
Document Revision: 37

Sponsored by CISA.