===================================================================== CERT-Renater Note d'Information No. 2007/VULN268 _____________________________________________________________________ DATE : 28/06/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running MIT krb5 Kerberos. ====================================================================== MIT krb5 Security Advisory 2007-004 Original release: 2007-06-26 Last update: 2007-06-26 Topic: kadmind affected by multiple RPC library vulnerabilities Severity: CRITICAL CVE: CVE-2007-2442 CERT: VU#356961 CVE: CVE-2007-2443 CERT: VU#365313 SUMMARY ======= The MIT krb5 Kerberos administration daemon (kadmind) is affected by multiple vulnerabilities in the RPC library shipped with MIT krb5. CVE-2007-2442/VU#356961: The RPC library can free an uninitialized pointer. This may lead to execution of arbitrary code. CVE-2007-2443/VU#365313: The RPC library can write past the end of a stack buffer. This may (but is unlikely to) lead to execution of arbitrary code. Third-party applications using the RPC library provided with MIT krb5 may also be vulnerable. Other RPC libraries derived from SunRPC may be vulnerable to CVE-2007-2443. Exploitation of these vulnerabilities is believed to be difficult. (See DETAILS.) Proof-of-concept exploits which do not cause execution of unintended code exist but are not known to be publicly circulated. This is a bug in the RPC library included with MIT krb5, which is used by kadmind and by some third-party applications. It is not a bug in the Kerberos protocol. IMPACT ====== An unauthenticated remote user may be able to cause a host running kadmind to execute arbitrary code. CVE-2007-2442 is more likely to lead to arbitrary code execution than CVE-2007-2443. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling the RPC library provided with MIT krb5 may be vulnerable. Other RPC libraries derived from SunRPC may be vulnerable. AFFECTED SOFTWARE ================= * kadmind from MIT releases up to and including krb5-1.6.1 * third-party applications calling the RPC library included in MIT releases up to and including krb5-1.6.1 FIXES ===== * The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4 maintenance release, will contain fixes for this vulnerability. Prior to that release you may: * apply the patch This patch is also available at http://web.mit.edu/kerberos/advisories/2007-004-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-004-patch.txt.asc *** src/lib/rpc/svc_auth_gssapi.c (revision 20015) - - --- src/lib/rpc/svc_auth_gssapi.c (local) *************** *** 149,154 **** - - --- 149,156 ---- rqst->rq_xprt->xp_auth = &svc_auth_none; memset((char *) &call_res, 0, sizeof(call_res)); + creds.client_handle.length = 0; + creds.client_handle.value = NULL; cred = &msg->rm_call.cb_cred; verf = &msg->rm_call.cb_verf; *** src/lib/rpc/svc_auth_unix.c (revision 20015) - - --- src/lib/rpc/svc_auth_unix.c (local) *************** *** 64,71 **** char area_machname[MAX_MACHINE_NAME+1]; int area_gids[NGRPS]; } *area; ! u_int auth_len; ! int str_len, gid_len; register int i; rqst->rq_xprt->xp_auth = &svc_auth_none; - - --- 64,70 ---- char area_machname[MAX_MACHINE_NAME+1]; int area_gids[NGRPS]; } *area; ! u_int auth_len, str_len, gid_len; register int i; rqst->rq_xprt->xp_auth = &svc_auth_none; *************** *** 74,80 **** aup = &area->area_aup; aup->aup_machname = area->area_machname; aup->aup_gids = area->area_gids; ! auth_len = (u_int)msg->rm_call.cb_cred.oa_length; xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); buf = XDR_INLINE(&xdrs, (int)auth_len); if (buf != NULL) { - - --- 73,81 ---- aup = &area->area_aup; aup->aup_machname = area->area_machname; aup->aup_gids = area->area_gids; ! auth_len = msg->rm_call.cb_cred.oa_length; ! if (auth_len > INT_MAX) ! return AUTH_BADCRED; xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); buf = XDR_INLINE(&xdrs, (int)auth_len); if (buf != NULL) { *************** *** 84,90 **** stat = AUTH_BADCRED; goto done; } ! memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len); aup->aup_machname[str_len] = 0; str_len = RNDUP(str_len); buf += str_len / BYTES_PER_XDR_UNIT; - - --- 85,91 ---- stat = AUTH_BADCRED; goto done; } ! memmove(aup->aup_machname, buf, str_len); aup->aup_machname[str_len] = 0; str_len = RNDUP(str_len); buf += str_len / BYTES_PER_XDR_UNIT; *************** *** 104,110 **** * timestamp, hostname len (0), uid, gid, and gids len (0). */ if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { ! (void) printf("bad auth_len gid %d str %d auth %d\n", gid_len, str_len, auth_len); stat = AUTH_BADCRED; goto done; - - --- 105,111 ---- * timestamp, hostname len (0), uid, gid, and gids len (0). */ if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { ! (void) printf("bad auth_len gid %u str %u auth %u\n", gid_len, str_len, auth_len); stat = AUTH_BADCRED; goto done; REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2007-2442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442 CVE: CVE-2007-2443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443 CERT: VU#356961 http://www.kb.cert.org/vuls/id/356961 CERT: VU#365313 http://www.kb.cert.org/vuls/id/365313 ACKNOWLEDGMENTS =============== We thank McAfee, Inc. for the initial notification. Wei Wang of McAfee Avert Labs discovered these vulnerabilities. DETAILS ======= CVE-2007-2442: The function gssrpc__svcauth_gssapi() in src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds" of type auth_gssapi_creds. This type includes a gss_buffer_desc (which includes a pointer to void used as a pointer to a buffer of bytes). If gssrpc__svcauth_gssapi() receives an RPC credential with a length of zero, it jumps to the label "error", which executes some cleanup code. At this point, the gss_buffer_desc in "creds" is not yet initialized, and the cleanup code calls xdr_free() on "creds", which then attempts to free the memory pointed to by the uninitialized "value" member of the gss_buffer_desc. Exploitation of freeing of invalid pointers is believed to be difficult, and depends on a variety of factors specific to a given malloc implementation. CVE-2007-2443: The function gssrpc__svcauth_unix() in src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from IXDR_GET_U_LONG into a signed integer variable "str_len". Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME, which will always be true of "str_len" is negative, which can happen when a large unsigned integer is converted to a signed integer. Once the length check succeeds, gssrpc__svcauth_unix() calls memmove() with a length of "str_len" with the target in a stack buffer. This vulnerability is believed to be difficult to exploit because the memmove() implementation receives a very large number (a negative integer converted to a large unsigned value), which will almost certainly cause some sort of memory access fault prior to returning. This probably avoids any usage of the corrupted return address in the overwritten stack frame. Note that some (perhaps unlikely) memmove() implementations may call other procedures and thus may be vulnerable to corrupted return addresses. REVISION HISTORY ================ 2007-06-26 original release Copyright (C) 2007 Massachusetts Institute of Technology - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRoFJz6bDgE/zdoE9AQL7gAP9E854ZZEi6Vk4sl0CbNYW3UifSZd4MQy2 djW5S/sO93k0Tji/+VQwyG5iIiWIsfotaS66ZuU80K8YTiEfXmyDp81uUUvRMJFT 8i4/L1yf43gA49GF8PV3QqS5QmzMoz8x0vp9OyUq4S/Yh4MpkcnTHW9xU1Fxdhe/ ZJxXE06kRIU= =Fcvv - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2007-005 Original release: 2007-06-26 Last update: 2007-06-26 Topic: kadmind vulnerable to buffer overflow Severity: CRITICAL CVE: CVE-2007-2798 CERT: VU#554257 SUMMARY ======= The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow. Exploitation of overflows of stack buffers is known to be simple. We have received a proof-of-concept exploit which may invoke a shell, but we believe that this exploit is not publicly circulated. This is a bug in kadmind in MIT krb5. It is not a bug in the Kerberos protocol. IMPACT ====== An authenticated remote user may be able to cause a host running kadmind to execute arbitrary code. Successful exploitation can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing. AFFECTED SOFTWARE ================= * kadmind from MIT releases up to and including krb5-1.6.1 FIXES ===== * The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4 maintenance release, will contain fixes for this vulnerability. Prior to that release you may: * apply the patch This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite. The krb5-1.6.1 and krb5-1.5.3 releases already contains the prerequisite patch. This patch is also available at http://web.mit.edu/kerberos/advisories/2007-005-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc *** src/kadmin/server/server_stubs.c (revision 20024) - - --- src/kadmin/server/server_stubs.c (local) *************** *** 545,557 **** static generic_ret ret; char *prime_arg1, *prime_arg2; - - - char prime_arg[BUFSIZ]; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; char *errmsg; xdr_free(xdr_generic_ret, &ret); - - --- 545,558 ---- static generic_ret ret; char *prime_arg1, *prime_arg2; gss_buffer_desc client_name, service_name; OM_uint32 minor_stat; kadm5_server_handle_t handle; restriction_t *rp; char *errmsg; + size_t tlen1, tlen2, clen, slen; + char *tdots1, *tdots2, *cdots, *sdots; xdr_free(xdr_generic_ret, &ret); *************** *** 572,578 **** ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } ! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { - - --- 573,586 ---- ret.code = KADM5_BAD_PRINCIPAL; goto exit_func; } ! tlen1 = strlen(prime_arg1); ! trunc_name(&tlen1, &tdots1); ! tlen2 = strlen(prime_arg2); ! trunc_name(&tlen2, &tdots2); ! clen = client_name.length; ! trunc_name(&clen, &cdots); ! slen = service_name.length; ! trunc_name(&slen, &sdots); ret.code = KADM5_OK; if (! CHANGEPW_SERVICE(rqstp)) { *************** *** 590,597 **** } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! log_unauth("kadm5_rename_principal", prime_arg, ! &client_name, &service_name, rqstp); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); - - --- 598,612 ---- } else ret.code = KADM5_AUTH_INSUFFICIENT; if (ret.code != KADM5_OK) { ! krb5_klog_syslog(LOG_NOTICE, ! "Unauthorized request: kadm5_rename_principal, " ! "%.*s%s to %.*s%s, " ! "client=%.*s%s, service=%.*s%s, addr=%s", ! tlen1, prime_arg1, tdots1, ! tlen2, prime_arg2, tdots2, ! clen, client_name.value, cdots, ! slen, service_name.value, sdots, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } else { ret.code = kadm5_rename_principal((void *)handle, arg->src, arg->dest); *************** *** 600,607 **** else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! log_done("kadm5_rename_principal", prime_arg, errmsg, ! &client_name, &service_name, rqstp); } free_server_handle(handle); free(prime_arg1); - - --- 615,629 ---- else errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ! krb5_klog_syslog(LOG_NOTICE, ! "Request: kadm5_rename_principal, " ! "%.*s%s to %.*s%s, %s, " ! "client=%.*s%s, service=%.*s%s, addr=%s", ! tlen1, prime_arg1, tdots1, ! tlen2, prime_arg2, tdots2, errmsg, ! clen, client_name.value, cdots, ! slen, service_name.value, sdots, ! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); } free_server_handle(handle); free(prime_arg1); REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2007-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798 CERT: VU#554257 http://www.kb.cert.org/vuls/id/554257 ACKNOWLEDGMENTS =============== We thank iDefense for the initial notification. iDefense credits an anonymous discoverer. DETAILS ======= The kadmind code which performs the principal renaming operation passes unchecked string arguments to a sprintf() call which has a fixed-size stack buffer as its destination. These strings are the old and new principal names passed to the rename operation. The attacker needs to authenticate to kadmind to perform this attack, but no administrative privileges are required because the vulnerable code executes prior to privilege verification. REVISION HISTORY ================ 2007-06-26 original release Copyright (C) 2007 Massachusetts Institute of Technology ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================