=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2007/VULN005
_____________________________________________________________________

DATE                      : 12/01/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running krb5.

======================================================================
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-002-rpc.txt

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-003-mechglue.txt

______________________________________________________________________

                 MIT krb5 Security Advisory 2006-002

Original release: 2007-01-09
Last update: 2007-01-09

Topic: kadmind (via RPC library) calls uninitialized function pointer

Severity: CRITICAL

CVE: CVE-2006-6143
CERT: VU#481564

SUMMARY
=======

The Kerberos administration daemon, "kadmind", can execute arbitrary
code by calling through a function pointer located in freed memory.
This vulnerability results from bugs in the server-side portion of the
RPC library.  Third-party server applications written using the RPC
library provided with MIT krb5 may also be vulnerable.

No exploit code is known to exist at this time.

IMPACT
======

An unauthenticated user may cause execution of arbitrary code in
kadmind, which can compromise the Kerberos key database and host
security.  (kadmind usually runs as root.)  Unsuccessful exploitation,
or even accidental replication of the required conditions by
non-malicious users, can result in kadmind crashing.

An unauthenticated user may cause execution of arbitrary code in
third-party server applications which use the RPC library.

AFFECTED SOFTWARE
=================

* kadmind from MIT releases krb5-1.4 through krb5-1.4.4

* kadmind from MIT releases krb5-1.5 through krb5-1.5.1

* third-party applications calling the RPC library included in MIT
  releases krb5-1.4 through krb5-1.4.4

* third-party applications calling the RPC library included in MIT
  releases krb5-1.5 through krb5-1.5.1

* Earlier releases may not be affected because the changes causing
  this vulnerability were introduced in krb5-1.4.

FIXES
=====

* The upcoming krb5-1.6 release will contain a fix for this problem.
  Additionally, the upcoming krb5-1.5.2 patch release will contain
  this fix.

* Apply the following patch:

Index: src/lib/rpc/svc.c
===================================================================
*** src/lib/rpc/svc.c	(revision 18864)
- --- src/lib/rpc/svc.c	(working copy)
***************
*** 437,442 ****
- --- 437,444 ----
  #endif
  }

+ extern struct svc_auth_ops svc_auth_gss_ops;
+
  static void
  svc_do_xprt(SVCXPRT *xprt)
  {
***************
*** 518,523 ****
- --- 520,528 ----
  		if ((stat = SVC_STAT(xprt)) == XPRT_DIED){
  			SVC_DESTROY(xprt);
  			break;
+ 		} else if ((xprt->xp_auth != NULL) &&
+ 			   (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) {
+ 			xprt->xp_auth = NULL;
  		}
  	} while (stat == XPRT_MOREREQS);


  This patch is also available at:

  http://web.mit.edu/kerberos/advisories/2006-002-patch.txt

  A PGP-signed version of the patch is at:

  http://web.mit.edu/kerberos/advisories/2006-002-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-002-rpc.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CVE-2006-6143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6143

CERT: VU#481564
http://www.kb.cert.org/vuls/id/481564

ACKNOWLEDGMENTS
===============

Thanks to Andrew Korty from Indiana University for reporting this
problem and for assisting with debugging.

DETAILS
=======

Error handling in svc_do_xprt() calls SVC_DESTROY(), which calls
SVCAUTH_DESTROY(), which calls through a function pointer in a SVCAUTH
structure.  The SVCAUTH structure may reside in uninitialized or freed
memory, so the function pointer may point to malicious or invalid
code, resulting in application crashes or execution of arbitrary
malicious code.

On the server side of the RPC library, each RPC transport socket has a
corresponding SVCXPRT structure.  Every UDP listener has one SVCXPRT,
as does every TCP listener.  UDP listeners do not create a new SVCXPRT
structure for each client; TCP listeners do create a new SVCXPRT
structure for each client.  Each SVCXPRT structure contains a SVCAUTH
pointer named "xp_auth".  The RPC call authentication functions set
this SVCAUTH pointer, and SVCAUTH_WRAP() and SVCAUTH_UNWRAP()
subsequently use this SVCAUTH pointer to perform encryption and
decryption of RPC arguments and replies.

During a call, svc_do_xprt() uses the SVCAUTH pointer variable "xprt",
previously set by looking up the transport's socket file descriptor,
to call various functions to perform actual processing of the call.
The AUTH_GSSAPI authentication flavor authentication function,
gssrpc__svcauth_gssapi(), sets xprt->xp_auth to point into an
allocated internal client state structure.  This occurs prior to
authentication actually succeeding; an attacker may not need to
successfully authenticate to exploit this vulnerability.

AUTH_GSSAPI periodically scans all its client state structures for
expired GSS-API contexts, and destroys them.  The client state
structures do not record which xprt->xp_auth points into them; as a
result, the destruction of client state structures can result in some
xprt->xp_auth pointing into freed memory.

When svc_do_xprt() encounters error conditions, it calls
SVC_DESTROY(), which then calls SVCAUTH_DESTROY(xprt->xp_auth) if
xprt->xp_auth is not NULL.  Most of the functions called through
svc_do_xprt() do initialize xprt->xp_auth, but because SVC_RECV() does
not, errors in SVC_RECV() (such as a client closing its TCP socket)
will result in xprt->xp_auth containing whatever value it had at the
conclusion of the immediately preceding call which used that SVCXPRT.

SVCAUTH_DESTROY() calls through a function pointer in xprt->xp_auth.
If xprt->xp_auth points into freed memory, this call could jump to
malicious code.  This vulnerability may be easy to exploit if the
attacker can control the heap contents and writable process memory is
executable.

The RPCSEC_GSS authentication flavor currently erroneously depends on
xprt->xp_auth remaining constant across calls, so the simple strategy
of unconditionally setting xprt->xp_auth to NULL will cause
connections using RPCSEC_GSS authentication to fail.  We plan to
address this bug in a future release.

REVISION HISTORY
================

2007-01-09      original release

Copyright (C) 2006 Massachusetts Institute of Technology

____________________________________________________________________________


                 MIT krb5 Security Advisory 2006-003

Original release: 2007-01-09
Last update: 2007-01-09

Topic: kadmind (via GSS-API mechglue) frees uninitialized pointers

Severity: CRITICAL

CVE: CVE-2006-6144
CERT: VU#831452

SUMMARY
=======

The Kerberos administration daemon, "kadmind", can free uninitialized
pointers, possibly leading to arbitrary code execution.  This
vulnerability results from memory management bugs in the "mechglue"
abstraction interface of the GSS-API implementation.  Third-party
applications written using the GSS-API may also be vulnerable.

Exploitation of this vulnerability is believed to be difficult.  No
exploit code is known to exist at this time.

IMPACT
======

An unauthenticated user may cause execution of arbitrary code in
kadmind, which can compromise the Kerberos key database and host
security.  (kadmind usually runs as root.)  Unsuccessful exploitation,
or even accidental replication of the required conditions by
non-malicious users, can result in kadmind crashing.

An unauthenticated user may cause execution of arbitrary code in
third-party applications which use the GSS-API library.

AFFECTED SOFTWARE
=================

* kadmind from MIT releases krb5-1.5 through krb5-1.5.1

* third-party applications calling the GSS-API library included in MIT
  releases krb5-1.5 through krb5-1.5.1

* Earlier releases may not be affected because the relevant code was
  not compiled.

FIXES
=====

* The upcoming krb5-1.6 release will contain a fix for this problem.
  Additionally, the upcoming krb5-1.5.2 patch release will contain
  this fix.

* Apply the patch at:

  http://web.mit.edu/kerberos/advisories/2006-003-patch.txt

  A PGP-signed version of the patch is at:

  http://web.mit.edu/kerberos/advisories/2006-003-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-003-mechglue.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CVE-2006-6144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6144

CERT: VU#831452
http://www.kb.cert.org/vuls/id/831452

ACKNOWLEDGMENTS
===============

This vulnerability was found while investigating a related
vulnerability reported by Andrew Korty of Indiana University.

DETAILS
=======

The specifications for the GSS-API C bindings, including RFC 2744,
require that all GSS-API calls which may return pointers to allocated
memory to initialize the pointers, even in error conditions.  The
implementation of the "mechglue" abstraction interface can execute
error-handling paths which do not complete initialization of output
parameters.  As a result, callers which do not initialize return
structures such as gss_buffer_desc may call destructor functions such
as gss_release_buffer on values containing uninitialized pointers.

In kadmind, the log_badverf() function calls gss_display_name()
without checking its return value and without initializing the
gss_buffer_desc structures passed to gss_display_name().  If
gss_display_name() encounters certain error conditions, it does not
initialize the gss_buffer_t output argument passed to it.  The
log_badverf() function then logs the returned strings, and calls
gss_release_buffer() on these gss_buffer_desc structures.  When
RPCSEC_GSS is used, kadmind uses a NULL server name, so at least one
of the calls to gss_display_name() will always fail in that case.

The act of logging these strings will typically cause a memory access
fault if the uninitialized pointers have values pointing into invalid
address space, which may prevent harmful effects in
gss_release_buffer() because the program will have crashed.  It is
inadvisable to depend on this possibility, because an attacker may be
able to manipulate the uninitialized pointers to take on values
pointing into valid address space.

REVISION HISTORY
================

2007-01-09      original release

Copyright (C) 2006 Massachusetts Institute of Technology


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================