Software Engineering Institute

KTH Kerberos includes support for two environment variables that may be abused by intruders to gain root privileges. These environment variables may be set in the shell by a local intruder before starting the Kerberos client authentication program in the case of krb4_proxy, or may be passed over the network by a remote intruder via a telnet connection. While the exploitation scenarios differ in some details, both rely on redirecting authentication requests to a malicious Kerberos Key Distribution Center (KDC). This malicious server may respond to requests by always approving the authentication, or by attempting to exploit the buffer overflow described in VU#759265. The malicious server may require access to a corresponding secret key on the client in order for the request to be properly accepted as originating from a legitimate KDC.

KRBCONFDIR environment variable

The first environment variable is KRBCONFDIR, which allows the intruder to cause the client program to use different Kerberos configuration data for authentication. The intruder is able to control which KDC is contacted and supply a new secret key in a malicious srvtab file. Because the intruder controls this new secret key they can have the malicious server construct a properly formatted authentication response using the new secret that will pass the cryptographic checks for verifying the server's identity. The legitimate srvtab secret is not compromised, and the client program must be compiled with Kerberos support. The attacker must have write access to a filesystem mounted on the victim host in order to execute this attack. Local attackers may not exploit this vulnerability by setting the environment variable in their shell because the programs attempt to detect the setuid status and ignore the KRBDCONFDIR variable.

krb4_proxy environment variable

The other variable is krb4_proxy, which allows a client to specify a proxy server for Kerberos client authentication. The client application must be compiled with Kerberos support, and the client system must be configured to use Kerberos authentication. Because the client code is expecting an authentication response proxied form a legitimate server, the intruder must overcome the cryptographic checks for verifying the server's identity in some other way. Access to the legitimate srvtab or weak checking by the client code may allow this.

Depending on the configuration of a client side compilation directive called KLOGIN_PARANOID, the client code may or may not detect that the authentication response is not from a legitimate server. If the buffer overflow described in VU#759265 can be successfully exploited, the setting of this compilation directive does not matter. The attacker does not have to have write access to any local filesystems to exploit this vulnerability.

KRBCONFDIR environment variable

The KRBCONFDIR environment variable issue may be exploited by local or remote intruders to gain root privileges.

krb4_proxy environment variable

The krb4_proxy environment variable vulnerability may be exploited by local or remote intruders to gain root privileges depending on several other factors such as the KLOGIN_PARANOID compilation directive.

Apply a patch from your vendor.