Red Hat Bugzilla – Bug 245548
CVE-2007-2443 krb5 RPC library stack overflow
Last modified: 2008-02-26 10:14:46 EST
The MIT Kerberos Team has made us aware of this following flaw in krb5:
CVE-2007-2443: The RPC library can write past the end of a stack
CVE-2007-2443: The function gssrpc__svcauth_unix() in
src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from
IXDR_GET_U_LONG into a signed integer variable "str_len".
Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME,
which will always be true of "str_len" is negative, which can happen
when a large unsigned integer is converted to a signed integer. Once
the length check succeeds, gssrpc__svcauth_unix() calls memmove() with
a length of "str_len" with the target in a stack buffer.
This vulnerability is believed to be difficult to exploit because the
memmove() implementation receives a very large number (a negative
integer converted to a large unsigned value), which will almost
certainly cause some sort of memory access fault prior to returning.
This probably avoids any usage of the corrupted return address in the
overwritten stack frame. Note that some (perhaps unlikely) memmove()
implementations may call other procedures and thus may be vulnerable
to corrupted return addresses.
On all architectures of Red Hat Enterprise Linux the memmove with large size
will just segfault and therefore this issue can lead to a denial of service.
( Note that this memmove overflow is not caught by FORTIFY_SOURCE due to the
structure of the code )
Lifting embargo: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-004.txt
This issue was addressed in:
Red Hat Enterprise Linux: