Software Engineering Institute

MIT Kerberos 5 contains several heap buffer overflow vulnerabilities in a library that translates Kerberos principal names to local UNIX account names. From MIT krb5 Security Advisory 2004-001:

krb5_aname_to_localname() translates a Kerberos principal name to a local account name, typically a UNIX username.  In the file src/lib/krb5/os/an_to_ln.c, the helper functions aname_replacer(), do_replacement(), and rule_an_to_ln() do not perform adequate checks of the lengths of strings which contain the name of the principal whose authorization is being checked.

In addition, the implementation of the explicit mapping functionality in krb5_aname_to_localname() consistently writes a zero byte at a location one byte past the end of a heap buffer when handling a principal name matching an explicit mapping.
Further technical details, including a patch against krb5-1.3.3, are available in MIT krb5 Security Advisory 2004-001.

Only kerberos enabled services that enable explicit or rules-based krb5_aname_to_localname() mapping are vulnerable. In the case of the explicit mapping vulnerability, the attacker would need to authenticate using a principal name that is present in the explicit mapping list. In the case of the rules-based mapping vulnerabilities, the attacker would need the ability to create specially crafted principal names in the local realm or in a realm accessible via cross-realm authentication.

An authenticated, remote attacker could execute arbitrary code on a system using krb5_aname_to_localname() mapping. The vulnerable library is loaded by services that use Kerberos authentication (e.g., telnetd, klogind), and in most cases these services run with root privileges.

Apply a patch or upgrade

Apply the patch referenced in MIT krb5 Security Advisory 2004-001 or upgrade to MIT krb5-1.3.4. Alternatively, apply the appropriate patch or upgrade as specified by your vendor.