-----BEGIN PGP SIGNED MESSAGE----- MIT krb5 Security Advisory 2005-003 Original release: 2005-07-12 Topic: double-free in krb5_recvauth Severity: CRITICAL SUMMARY ======= The krb5_recvauth() function can free previously freed memory under some error conditions. This vulnerability may allow an unauthenticated remote attacker to execute arbitrary code. Exploitation of this vulnerability on a Kerberos Key Distribution Center (KDC) host can result in compromise of an entire Kerberos realm. No exploit code is known to exist at this time. Exploitation of double-free vulnerabilities is believed to be difficult. [CAN-2005-1689, VU#623332] IMPACT ====== An unauthenticated attacker may be able to execute arbitrary code in the context of a program calling krb5_recvauth(). This includes the kpropd program which typically runs on slave Key Distribution Center (KDC) hosts, potentially leading to compromise of an entire Kerberos realm. Other vulnerable programs which call krb5_recvauth() are usually remote login programs running with root privileges. Unsuccessful attempts at exploitation may result in denial of service by crashing the target program. AFFECTED SOFTWARE ================= * The kpropd daemon in all releases of MIT krb5, up to and including krb5-1.4.1, is vulnerable. * The klogind and krshd remote-login daemons in all releases of MIT krb5, up to and including krb5-1.4.1, is vulnerable. * Third-party application programs which call krb5-recvauth() are also vulnerable. FIXES ===== * The upcoming krb5-1.4.2 release will have a fix for this vulnerability. * Apply the following patch. This patch was generated against the krb5-1.4.1 release. It may apply, with some offset, to earlier releases. The patch may also be found at: http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc Index: lib/krb5/krb/recvauth.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v retrieving revision 5.38 diff -c -r5.38 recvauth.c *** lib/krb5/krb/recvauth.c 3 Sep 2002 01:13:47 -0000 5.38 - --- lib/krb5/krb/recvauth.c 23 May 2005 23:19:15 -0000 *************** *** 76,82 **** if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); if (strcmp(inbuf.data, sendauth_version)) { - - krb5_xfree(inbuf.data); problem = KRB5_SENDAUTH_BADAUTHVERS; } krb5_xfree(inbuf.data); - --- 76,81 ---- *************** *** 90,96 **** if ((retval = krb5_read_message(context, fd, &inbuf))) return(retval); if (appl_version && strcmp(inbuf.data, appl_version)) { - - krb5_xfree(inbuf.data); if (!problem) problem = KRB5_SENDAUTH_BADAPPLVERS; } - --- 89,94 ---- REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CAN-2005-1689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689 CERT: VU#623332 http://www.kb.cert.org/vuls/id/623332 ACKNOWLEDGMENTS =============== Thanks to Magnus Hagander for reporting this vulnerability. DETAILS ======= The helper function revcauth_common() in lib/krb5/krb/recvauth.c has two locations which call krb5_read_message(), followed by an unconditional krb5_xfree() of the buffer allocated by krb5_read_message(). In the cases where the sendauth version string or the application version string do not match the expected value, recvauth_common() performs a krb5_xfree() on the buffer allocated by krb5_read_message() preceding the subsequent unconditional call to krb5_xfree() on the same buffer. Since the code paths which call krb5_xfree() twice do so with almost no intervening code, exploitation of this vulnerability may be more difficult than exploitation of other double-free vulnerabilities. No detailed analysis has been performed on the ease of exploitation. REVISION HISTORY ================ 2005-05-12 original release Copyright (C) 2005 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (SunOS) iQCVAwUBQtMbD6bDgE/zdoE9AQGmhQP+MYnmuw4+J3yIcQbS3chjZXVLHebTJJtN jM5+cMBDQfYdpuoQER1Bbaf+7Ky1BoyX2zHfANzdDAiSFRykbFqEqgvdw9jqEFmx ela1UtOhV5H80BZAzmGV+dVIqGPpWH0f4ArRe18Pbz2wZE0Vadq9VkBTJwHI23En K3a9oiHA/XM= =ZS63 -----END PGP SIGNATURE-----