Vulnerability Note VU#759265
Kerberos client code buffer overflow in kdc_reply_cipher()
There is a buffer overflow is the kdc_reply_cipher() function of KTH Kerberos. This buffer overflow may be exploitable to allow an attacker to gain root privileges, and can be used to deny service.
The buffer overflow occurs in the parsing of an authentication reply in the kdc_reply_cipher() function of kdc_reply.c. The attacker may supply a packet length greater than that which was actually sent, causing a memcpy() call to overwrite the stack with data in memory adjacent to the packet buffer. It is not clear if the attacker has control of the memory adjacent to this packet buffer, so it is not clear that the vulnerability is exploitable to gain privileges. The vulnerability could however be exploited causing the server to crash. To exploit this vulnerability, the attacker must trick the client into making a request to a malicious KDC. The attacker could accomplish this redirection by defining the krb4_proxy or KRBCONFDIR environment variables as described in VU#602625, or by manipulating DNS information.
An attacker can cause a service to crash if they can redirect authentication requests to a malicious KDC under their control. While it is not clear if this vulnerability is exploitable to gain privileges, an attacker may be able to execute arbitrary code on a client making an authentication request to the malicious server. Since the client typically executes as root, root privileges may be gained.
Apply a patch from your vendor.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|FreeBSD||Affected||11 Dec 2000||14 Dec 2000|
|Apple||Not Affected||11 Dec 2000||14 Dec 2000|
|Compaq Computer Corporation||Not Affected||11 Dec 2000||14 Dec 2000|
|Fujitsu||Not Affected||11 Dec 2000||11 Jan 2001|
|IBM||Not Affected||11 Dec 2000||14 Dec 2000|
|Microsoft||Not Affected||11 Dec 2000||14 Dec 2000|
|BSDI||Unknown||11 Dec 2000||14 Dec 2000|
|Caldera||Unknown||11 Dec 2000||14 Dec 2000|
|Data General||Unknown||11 Dec 2000||14 Dec 2000|
|Debian||Unknown||11 Dec 2000||14 Dec 2000|
|Hewlett Packard||Unknown||11 Dec 2000||14 Dec 2000|
|KTH Kerberos||Unknown||-||14 Dec 2000|
|NetBSD||Unknown||11 Dec 2000||11 Jan 2001|
|OpenBSD||Unknown||11 Dec 2000||14 Dec 2000|
|RedHat||Unknown||11 Dec 2000||14 Dec 2000|
CVSS Metrics (Learn More)
Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.
This document was written by Cory F Cohen.
- CVE IDs: Unknown
- Date Public: 09 Dec 2000
- Date First Published: 19 Dec 2000
- Date Last Updated: 11 Jan 2001
- Severity Metric: 3.49
- Document Revision: 8
If you have feedback, comments, or additional information about this vulnerability, please send us email.