There is a buffer overflow is the kdc_reply_cipher() function of KTH Kerberos. This buffer overflow may be exploitable to allow an attacker to gain root privileges, and can be used to deny service.
The buffer overflow occurs in the parsing of an authentication reply in the kdc_reply_cipher() function of kdc_reply.c. The attacker may supply a packet length greater than that which was actually sent, causing a memcpy() call to overwrite the stack with data in memory adjacent to the packet buffer. It is not clear if the attacker has control of the memory adjacent to this packet buffer, so it is not clear that the vulnerability is exploitable to gain privileges. The vulnerability could however be exploited causing the server to crash. To exploit this vulnerability, the attacker must trick the client into making a request to a malicious KDC. The attacker could accomplish this redirection by defining the krb4_proxy or KRBCONFDIR environment variables as described in VU#602625, or by manipulating DNS information.
An attacker can cause a service to crash if they can redirect authentication requests to a malicious KDC under their control. While it is not clear if this vulnerability is exploitable to gain privileges, an attacker may be able to execute arbitrary code on a client making an authentication request to the malicious server. Since the client typically executes as root, root privileges may be gained.
Apply a patch from your vendor.
Apple Not Affected
Compaq Computer Corporation Not Affected
Fujitsu Not Affected
IBM Not Affected
Microsoft Not Affected
Data General Unknown
Hewlett Packard Unknown
KTH Kerberos Unknown
Washington University Unknown
Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.
This document was written by Cory F Cohen.
|Date First Published:||2000-12-19|
|Date Last Updated:||2001-01-11 15:57 UTC|