-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2007-002 Original release: 2007-04-03 Last update: 2007-04-06 Topic: KDC, kadmind stack overflow in krb5_klog_syslog Severity: CRITICAL CVE: CVE-2007-0957 CERT: VU#704024 SUMMARY ======= The library function krb5_klog_syslog() can write past the end of a stack buffer. The Kerberos administration daemon (kadmind) as well as the KDC, are vulnerable. Exploitation of this vulnerability is probably simple. This is a vulnerability in the the kadm5 library, which is used by the KDC and kadmind, and possibly by some third-party applications. It is not a bug in the MIT krb5 protocol libraries or in the Kerberos protocol. IMPACT ====== An authenticated user may be able to cause a host running kadmind to execute arbitrary code. An authenticated user may be able to cause a KDC host to execute arbitrary code. Also, a user controlling a Kerberos realm sharing a key with the target realm may be able to cause a KDC host to execute arbitrary code. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications which call krb5_klog_syslog() may also be vulnerable. AFFECTED SOFTWARE ================= * MIT krb5 releases through krb5-1.6 FIXES ===== * The upcoming krb5-1.6.1 release will contain a fix for this vulnerability. Prior to that release you may: * apply the patch The patch is available at http://web.mit.edu/kerberos/advisories/2007-002-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-002-patch.txt.asc A patch against krb5-1.5.x is at http://web.mit.edu/kerberos/advisories/2007-002-patch15.txt A PGP-signed patch against krb5-1.5.x is available at http://web.mit.edu/kerberos/advisories/2007-002-patch15.txt.asc Systems which definitely provide vsnprintf() may not need the entire patch; see "DETAILS". Please note that releases prior to krb5-1.5 will require additional changes to the configure script src/lib/kadm5/configure in order to correctly detect the presence of vsnprintf(). krb5-1.5 and later releases already check for vsnprintf() in the top-level configure script, and do not have a separate src/lib/kadm5/configure script. REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2007-0957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0957 CERT: VU#704024 http://www.kb.cert.org/vuls/id/704024 ACKNOWLEDGMENTS =============== We thank iDefense Labs for notifying us of this vulnerability. iDefense credits an anonymous discoverer. DETAILS ======= krb5_klog_syslog() uses vsprintf() to format text into a fixed-length stack buffer. Format specifiers such as "%s" used in calls to krb5_klog_syslog() may allow formatting of strings of sufficient length to overwrite memory past the end of the stack buffer. Certain strings received from the client by the kadmin daemon are not truncated prior to logging. Among these strings is the target principal for the kadmin operation. The KDC truncates most client-originated strings prior to logging. One sort of string which is not truncated is a transited-realms string. A malicious KDC sharing a key with the target realm may issue tickets with specially-crafted transited-realms strings to exploit this vulnerability. There are other places where an authenticated user may cause the KDC to log a string which triggers the vulnerability. On a system where vsnprintf() is confirmed to be available, the patches to files other than src/lib/kadm5/logger.c may not be necessary to prevent a buffer overflow; these patches are still useful to prevent malicious users from causing vsnprintf() to obliterate useful log information by means of truncation. REVISION HISTORY ================ 2007-04-06 added krb5-1.5.x patch 2007-04-03 original release Copyright (C) 2007 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRha5BabDgE/zdoE9AQLI8gP/V4ZxlYO9C+XMy/8uN9lfnddzQjJVv3aL gRHxkcSuT7iBrLfjte38Honz1R79daFjRC62JGZZ9BVBa92Ek2Vt8XlZnxz1EuRx ZCasroF3EDfILkfCUd2OcfFLOID7XZVfzCWQ+AStOSRzBrGvuyfWNlb2lbZAAAbw JCKLrZx0qmU= =Dpjw -----END PGP SIGNATURE-----