Overview
There is a buffer overflow is the kdc_reply_cipher() function of KTH Kerberos. This buffer overflow may be exploitable to allow an attacker to gain root privileges, and can be used to deny service.
Description
The buffer overflow occurs in the parsing of an authentication reply in the kdc_reply_cipher() function of kdc_reply.c. The attacker may supply a packet length greater than that which was actually sent, causing a memcpy() call to overwrite the stack with data in memory adjacent to the packet buffer. It is not clear if the attacker has control of the memory adjacent to this packet buffer, so it is not clear that the vulnerability is exploitable to gain privileges. The vulnerability could however be exploited causing the server to crash. To exploit this vulnerability, the attacker must trick the client into making a request to a malicious KDC. The attacker could accomplish this redirection by defining the krb4_proxy or KRBCONFDIR environment variables as described in VU#602625, or by manipulating DNS information. |
Impact
An attacker can cause a service to crash if they can redirect authentication requests to a malicious KDC under their control. While it is not clear if this vulnerability is exploitable to gain privileges, an attacker may be able to execute arbitrary code on a client making an authentication request to the malicious server. Since the client typically executes as root, root privileges may be gained. |
Solution
Apply a patch from your vendor. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.
This document was written by Cory F Cohen.
Other Information
| CVE IDs: | CVE-2001-0094 |
| Severity Metric: | 3.49 |
| Date Public: | 2000-12-09 |
| Date First Published: | 2000-12-19 |
| Date Last Updated: | 2001-01-11 15:57 UTC |
| Document Revision: | 9 |