-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2006-003 Original release: 2007-01-09 Last update: 2007-01-09 Topic: kadmind (via GSS-API mechglue) frees uninitialized pointers Severity: CRITICAL CVE: CVE-2006-6144 CERT: VU#831452 SUMMARY ======= The Kerberos administration daemon, "kadmind", can free uninitialized pointers, possibly leading to arbitrary code execution. This vulnerability results from memory management bugs in the "mechglue" abstraction interface of the GSS-API implementation. Third-party applications written using the GSS-API may also be vulnerable. Exploitation of this vulnerability is believed to be difficult. No exploit code is known to exist at this time. IMPACT ====== An unauthenticated user may cause execution of arbitrary code in kadmind, which can compromise the Kerberos key database and host security. (kadmind usually runs as root.) Unsuccessful exploitation, or even accidental replication of the required conditions by non-malicious users, can result in kadmind crashing. An unauthenticated user may cause execution of arbitrary code in third-party applications which use the GSS-API library. AFFECTED SOFTWARE ================= * kadmind from MIT releases krb5-1.5 through krb5-1.5.1 * third-party applications calling the GSS-API library included in MIT releases krb5-1.5 through krb5-1.5.1 * Earlier releases may not be affected because the relevant code was not compiled. FIXES ===== * The upcoming krb5-1.6 release will contain a fix for this problem. Additionally, the upcoming krb5-1.5.2 patch release will contain this fix. * Apply the patch at: http://web.mit.edu/kerberos/advisories/2006-003-patch.txt A PGP-signed version of the patch is at: http://web.mit.edu/kerberos/advisories/2006-003-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-003-mechglue.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2006-6144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6144 CERT: VU#831452 http://www.kb.cert.org/vuls/id/831452 ACKNOWLEDGMENTS =============== This vulnerability was found while investigating a related vulnerability reported by Andrew Korty of Indiana University. DETAILS ======= The specifications for the GSS-API C bindings, including RFC 2744, require that all GSS-API calls which may return pointers to allocated memory to initialize the pointers, even in error conditions. The implementation of the "mechglue" abstraction interface can execute error-handling paths which do not complete initialization of output parameters. As a result, callers which do not initialize return structures such as gss_buffer_desc may call destructor functions such as gss_release_buffer on values containing uninitialized pointers. In kadmind, the log_badverf() function calls gss_display_name() without checking its return value and without initializing the gss_buffer_desc structures passed to gss_display_name(). If gss_display_name() encounters certain error conditions, it does not initialize the gss_buffer_t output argument passed to it. The log_badverf() function then logs the returned strings, and calls gss_release_buffer() on these gss_buffer_desc structures. When RPCSEC_GSS is used, kadmind uses a NULL server name, so at least one of the calls to gss_display_name() will always fail in that case. The act of logging these strings will typically cause a memory access fault if the uninitialized pointers have values pointing into invalid address space, which may prevent harmful effects in gss_release_buffer() because the program will have crashed. It is inadvisable to depend on this possibility, because an attacker may be able to manipulate the uninitialized pointers to take on values pointing into valid address space. REVISION HISTORY ================ 2007-01-09 original release Copyright (C) 2006 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRaL92KbDgE/zdoE9AQJ8DAQAiYr6UPRR5twDUVvBLjhdGriKSYPRaOoe re7ROX9BZ1fAAxldLH2Eela50gAAvnqYkAUyB1RH0Qi9OyEudEbeAUH7PLAR42lE +Tt/OGH6jF6Uju/6wTfqLUPXCoBf8l9h2lojTuHYSGWvbz8Cth5vzpJSOGIM9cu7 YIFqXWFgoqs= =/Rxc -----END PGP SIGNATURE-----