MIT Kerberos Development Team Information for VU#192995

Integer overflow in xdr_array() function when deserializing the XDR stream



Vendor Statement

Please see

The patch is available directly:

The following detached PGP signature should be used to verify the authenticity and integrity of the patch:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References




MIT krb5 Security Advisory 2002-001


Topic: Remote root vulnerability in MIT krb5 admin system

Severity: Remote user may be able to gain root access to a KDC host.


There is an integer overflow bug in the SUNRPC-derived RPC library
used by the Kerberos 5 administration system that could be exploited
to gain unauthorized root access to a KDC host. It is believed that
the attacker needs to be able to authenticate to the kadmin daemon for
this attack to be successful. No exploits are known to exist yet.


A remote attacker can potentially execute arbitrary code on the KDC
with the privileges of the user running the kadmin daemon (usually
root). This can lead to compromise of the Kerberos database.


All releases of MIT Kerberos 5, up to and including krb5-1.2.5.


Apply the following patch to src/lib/rpc/xdr_array.c:

Index: xdr_array.c
RCS file: /cvs/krbdev/krb5/src/lib/rpc/xdr_array.c,v
retrieving revision 1.5
diff -c -r1.5 xdr_array.c
*** xdr_array.c 1998/02/14 02:27:23 1.5
- --- xdr_array.c 2002/08/02 17:25:05
*** 75,81 ****
return (FALSE);
c = *sizep;
! if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
return (FALSE);
nodesize = c * elsize;
- --- 75,82 ----
return (FALSE);
c = *sizep;
! if ((c > maxsize || c > LASTUNSIGNED / elsize)
! && (xdrs->x_op != XDR_FREE)) {
return (FALSE);
nodesize = c * elsize;

and rebuild your tree. The patch was generated against krb5-1.2.5;
patches to other releases may apply with some offset.

This patch may also be found at:

The associated detached PGP signature is at:

This announcement and code patches related to it may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:


Thanks to ISS for discovery of the vulnerability.

Thanks to Jeffrey Hutzelman for assistance in discovering the
particulars of this bug.


The xdr_array() decoder computes the value of the NODESIZE variable in
a way that can lead to integer overflow. An attacker can construct an
XDR encoding that will take advantage of this integer overflow in
order to overflow the allocated heap buffer, depending on the
specifics of the caller of the xdr_array() function.

The uses of xdr_array() in the kadm5 library, which implements the
Kerberos 5 adminstration protocol, are unsafe in an environment where
this bug exists. A remote user may be able to use the buffer overflow
to execute arbitrary code on the KDC host, possibly leading to
unauthorized root access. It is believed that the remote user must
first successfully authenticate to the kadmin daemon in order to
exercise this vulnerability, though the user may not need to posess
any special privileges.
Version: GnuPG v1.0.7 (SunOS)


If you have feedback, comments, or additional information about this vulnerability, please send us email.