Bug 159753 - CAN-2005-1689 double-free in krb5_recvauth
Summary: CAN-2005-1689 double-free in krb5_recvauth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: krb5
Version: 3.0
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard: impact=critical,embargo=20050712,sour...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-07 20:00 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2005-562
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-12 18:18:53 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:562 0 normal SHIPPED_LIVE Critical: krb5 security update 2005-07-12 04:00:00 UTC

Description Josh Bressers 2005-06-07 20:00:44 UTC
Severity: CRITICAL

SUMMARY
=======

The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689]

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.

AFFECTED SOFTWARE
=================

* The kpropd daemon in all releases of MIT krb5, up to and including
   krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
   krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also
   vulnerable.

FIXES
=====

* Apply the following patch.  This patch was generated against the
   krb5-1.4.1 release.  It may apply, with some offset, to earlier
   releases.

   The patch may also be found at:

   http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt

   The associated detached PGP signature is at:

   http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc

Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c     3 Sep 2002 01:13:47 -0000       5.38
--- lib/krb5/krb/recvauth.c     23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
            if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
            if (strcmp(inbuf.data, sendauth_version)) {
-               krb5_xfree(inbuf.data);
                problem = KRB5_SENDAUTH_BADAUTHVERS;
            }
            krb5_xfree(inbuf.data);
--- 76,81 ----
***************
*** 90,96 ****
        if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
        if (appl_version && strcmp(inbuf.data, appl_version)) {
-               krb5_xfree(inbuf.data);
                if (!problem)
                        problem = KRB5_SENDAUTH_BADAPPLVERS;
        }
--- 89,94 ----

Comment 1 Josh Bressers 2005-06-07 20:02:10 UTC
This issue probably also affects RHEL2.1 and RHEL3

Comment 2 Josh Bressers 2005-06-07 20:03:27 UTC
Nalin,

If you feel this issue isn't worthy of a critical severity rating, let me know.
 My limited knowledge of krb5 leads me to believe this is a very serious issue.

Comment 4 Mark J. Cox 2005-07-12 18:03:19 UTC
Public at http://web.mit.edu/kerberos/www/advisories/ - removing embargo

Comment 5 Red Hat Bugzilla 2005-07-12 18:18:53 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-562.html



Note You need to log in before you can comment on or make changes to this bug.