Bug 77004 - Buffer overflow in kadmind4 supplied with krb5
Buffer overflow in kadmind4 supplied with krb5
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: krb5 (Show other bugs)
7.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
http://web.mit.edu/kerberos/www/advis...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-10-30 15:23 EST by jian liu
Modified: 2007-04-18 12:48 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-11-01 12:40:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jian liu 2002-10-30 15:23:06 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.4.3 i686)

Description of problem:
Quote from the advisory(please see the provided URL)."A stack buffer overflow in
the implementation of the Kerberos v4 compatibility administration daemon
(kadmind4) in the MIT krb5 distribution can be exploited to gain unauthorized
root access to a KDC host.  The attacker does not need to authenticate to the
daemon to successfully perform this attack.  At least one exploit is known to
exist in the wild, and at least one attacker is reasonably competent at cleaning
up traces of intrusion.

The kadmind4 supplied with MIT krb5 is intended for use in sites that require
compatibility with legacy administrative clients; sites that do not have this
requirement are not likely to be running this daemon

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:

I got the source code from
ftp://updates.redhat.com/7.2/en/os/SRPMS/krb5-1.2.2-14.src.rpm

please go to line 170 of file src/kadmin/v4server/kadm_ser_wrap.c, then compare
the code againt the patch from

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt

The boundary checking is missing from the file
src/kadmin/v4server/kadm_ser_wrap.c.
I think krb5-1.2.2-14 from ftp://updates.redhat.com/7.2/en/os/SRPMS is
vulnerable.
Comment 1 Mark J. Cox (Product Security) 2002-11-01 12:40:05 EST
Releases of Red Hat Linux version 6.2 and higher include versions of MIT
Kerberos that are vulnerable to this issue; however the vulnerable
administration server, kadmind4, has never been enabled by default.  

We are currently working on producing errata packages.  When complete these
will be available along with our advisory at the URL below.  At the same
time users of the Red Hat Network will be able to update their systems
using the 'up2date' tool.

http://rhn.redhat.com/errata/RHSA-2002-242.html

Note You need to log in before you can comment on or make changes to this bug.