search menu icon-carat-right cmu-wordmark

CERT Coordination Center


KTH Kerberos environment variables krb4proxy and KRBCONFDIR may be used insecurely

Vulnerability Note VU#602625

Original Release Date: 2000-12-19 | Last Revised: 2001-01-11

Overview

The environment variables krb4proxy and KRBCONFDIR may be respected by client programs such as login or su, in such a way that local or remote intruders can cause the client program to accept authentication requests from a malicious KDC. The vulnerabilites may be exploited remotely by passing these environment variables through a telnet connection.

Description

KTH Kerberos includes support for two environment variables that may be abused by intruders to gain root privileges. These environment variables may be set in the shell by a local intruder before starting the Kerberos client authentication program in the case of krb4_proxy, or may be passed over the network by a remote intruder via a telnet connection. While the exploitation scenarios differ in some details, both rely on redirecting authentication requests to a malicious Kerberos Key Distribution Center (KDC). This malicious server may respond to requests by always approving the authentication, or by attempting to exploit the buffer overflow described in VU#759265. The malicious server may require access to a corresponding secret key on the client in order for the request to be properly accepted as originating from a legitimate KDC.

KRBCONFDIR environment variable

The first environment variable is KRBCONFDIR, which allows the intruder to cause the client program to use different Kerberos configuration data for authentication. The intruder is able to control which KDC is contacted and supply a new secret key in a malicious srvtab file. Because the intruder controls this new secret key they can have the malicious server construct a properly formatted authentication response using the new secret that will pass the cryptographic checks for verifying the server's identity. The legitimate srvtab secret is not compromised, and the client program must be compiled with Kerberos support. The attacker must have write access to a filesystem mounted on the victim host in order to execute this attack. Local attackers may not exploit this vulnerability by setting the environment variable in their shell because the programs attempt to detect the setuid status and ignore the KRBDCONFDIR variable.

krb4_proxy environment variable

The other variable is krb4_proxy, which allows a client to specify a proxy server for Kerberos client authentication. The client application must be compiled with Kerberos support, and the client system must be configured to use Kerberos authentication. Because the client code is expecting an authentication response proxied form a legitimate server, the intruder must overcome the cryptographic checks for verifying the server's identity in some other way. Access to the legitimate srvtab or weak checking by the client code may allow this.

Depending on the configuration of a client side compilation directive called KLOGIN_PARANOID, the client code may or may not detect that the authentication response is not from a legitimate server. If the buffer overflow described in VU#759265 can be successfully exploited, the setting of this compilation directive does not matter. The attacker does not have to have write access to any local filesystems to exploit this vulnerability.

Impact

KRBCONFDIR environment variable

The KRBCONFDIR environment variable issue may be exploited by local or remote intruders to gain root privileges.

krb4_proxy environment variable

The krb4_proxy environment variable vulnerability may be exploited by local or remote intruders to gain root privileges depending on several other factors such as the KLOGIN_PARANOID compilation directive.

Solution

Apply a patch from your vendor.

Vendor Information

602625
Expand all

FreeBSD

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Vulnerable

Vendor Statement

FreeBSD includes the externally maintained KTH Kerberos software as an optional component of the FreeBSD base system. Therefore, systems which have installed the Kerberos 4 components are vulnerable to these problems as described in the CERT advisory. Patches have been committed to the FreeBSD source tree and an advisory will be released shortly detailing the precise impact on vulnerable FreeBSD systems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  December 11, 2000 Updated:  January 11, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

NetBSD has produced an advisory on this issue. It is available from:


They appear to be vulnerable to this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Not Vulnerable

Vendor Statement

Apple has conducted an investigation and determined that Mac OS X Public Beta does not use KTH Kerberos version 4 and is not susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Not Vulnerable

Vendor Statement

Not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  December 11, 2000 Updated:  January 11, 2001

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V operating system is not vulnerable to the bugs in VU#602625, VU#759265, and VU#426273, because UXP/V does not support Kerberos.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Not Vulnerable

Vendor Statement

Our AIX operating system does not include KTH Kerberos IV, so it is not vulnerable to the security exploits described here.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MIT Kerberos Development Team

Notified:  December 08, 2000 Updated:  January 11, 2001

Status

  Not Vulnerable

Vendor Statement

I do not believe it is a problem. The krb4 code within the MIT krb5 distributions does not contain any setuid application code that calls the krb4 library. Certainly our telnetd does not permit those variables to be set.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Not Vulnerable

Vendor Statement

Windows 2000 does not support Kerb IV. W2K does not provide a kerberized telnetd, nor a Krb4 proxy server - therefore we're not vulnerable to VU#602625.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Caldera

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KTH Kerberos

Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RedHat

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  November 21, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Washington University

Notified:  December 11, 2000 Updated:  December 14, 2000

Status

  Unknown

Vendor Statement

WU-FTPD 2.6.1 supports Kerberos in one of two ways:

    • Via PAM: in which case we defer any statement of vulnerability to the PAM maintainers.
    • Via direct calls: in which case we are probably as vulnerable as any other service using Kerberos for user authentication.
    For WU-FTPD systems using Kerberos, especially those which do not use shared libraries, I would recommend re-compiling (specifically, re-linking) the daemon to ensure an updated Kerberos runtime is used.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Credit

    Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.

    This document was written by Cory F Cohen.

    Other Information

    CVE IDs: None
    Severity Metric: 14.70
    Date Public: 2000-12-09
    Date First Published: 2000-12-19
    Date Last Updated: 2001-01-11 15:58 UTC
    Document Revision: 11

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.