Bug 245548 (CVE-2007-2443) - CVE-2007-2443 krb5 RPC library stack overflow
Summary: CVE-2007-2443 krb5 RPC library stack overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-2443
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 239073 245544
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-25 11:41 UTC by Mark J. Cox
Modified: 2019-09-29 12:20 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-26 15:14:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0384 normal SHIPPED_LIVE Critical: krb5 security update 2007-06-26 18:43:05 UTC
Red Hat Product Errata RHSA-2007:0562 normal SHIPPED_LIVE Important: krb5 security update 2008-01-07 22:17:36 UTC

Description Mark J. Cox 2007-06-25 11:41:55 UTC
The MIT Kerberos Team has made us aware of this following flaw in krb5:
CVE-2007-2443: The RPC library can write past the end of a stack
buffer.

CVE-2007-2443: The function gssrpc__svcauth_unix() in
src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from
IXDR_GET_U_LONG into a signed integer variable "str_len".
Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME,
which will always be true of "str_len" is negative, which can happen
when a large unsigned integer is converted to a signed integer.  Once
the length check succeeds, gssrpc__svcauth_unix() calls memmove() with
a length of "str_len" with the target in a stack buffer.

This vulnerability is believed to be difficult to exploit because the
memmove() implementation receives a very large number (a negative
integer converted to a large unsigned value), which will almost
certainly cause some sort of memory access fault prior to returning.
This probably avoids any usage of the corrupted return address in the
overwritten stack frame.  Note that some (perhaps unlikely) memmove()
implementations may call other procedures and thus may be vulnerable
to corrupted return addresses.

Comment 1 Mark J. Cox 2007-06-25 11:45:21 UTC
On all architectures of Red Hat Enterprise Linux the memmove with large size
will just segfault and therefore this issue can lead to a denial of service.

( Note that this memmove overflow is not caught by FORTIFY_SOURCE due to the
structure of the code )

Comment 3 Josh Bressers 2007-06-26 18:21:03 UTC
Lifting embargo: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-004.txt

Comment 4 Red Hat Product Security 2008-02-26 15:14:46 UTC
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0384.html
  http://rhn.redhat.com/errata/RHSA-2007-0562.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2007-0740




Note You need to log in before you can comment on or make changes to this bug.