-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 MIT krb5 Security Advisory 2007-003

Original release: 2007-04-03
Last update: 2007-04-03

Topic: double-free vulnerability in kadmind (via GSS-API library)

Severity: CRITICAL

CVE: CVE-2007-1216
CERT: VU#419344

SUMMARY
=======

The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a double-free attack in the RPCSEC_GSS authentication flavor of the
RPC library, which itself results from a bug in the GSS-API library.
Under some error conditions, the krb5 GSS-API mechanism can free a
buffer which an application may then free again.  This may result in
arbitrary code execution.  Third-party applications using the GSS-API
library provided with MIT krb5 may also be vulnerable.

Exploitation of double-free bugs is believed to be difficult.

This is a bug in the GSS-API library included with MIT krb5, which is
used by kadmind and by some third-party applications.  It is not a bug
in the Kerberos protocol.

IMPACT
======

An authenticated user may be able to cause a host running kadmind to
execute arbitrary code.

Successful exploitation can compromise the Kerberos key database and
host security on the host running these programs.  (kadmind and the
KDC typically run as root.)  Unsuccessful exploitation attempts will
likely result in the affected program crashing.

Third-party applications calling either the RPC library or the GSS-API
library provided with MIT krb5 may be vulnerable.

AFFECTED SOFTWARE
=================

* kadmind from MIT releases krb5-1.4 through krb5-1.6

* third-party applications calling the RPC library included in MIT
  releases krb5-1.4 through krb5-1.6

* kadmind and third-party applications calling the RPC library in MIT
  releases earlier than krb5-1.4 may not be vulnerable because the
  RPCSEC_GSS authentication flavor was not implemented in those RPC
  libraries.

* third-party applications calling the GSS-API library included in any
  MIT krb5 releases, up to and including krb5-1.6, if the application
  handles GSS-API errors in a certain way

FIXES
=====

* The upcoming krb5-1.6.1 release will contain a fix for this
  vulnerability.

Prior to that release you may:

* apply the patch

  Note that releases prior to krb5-1.3 will require a different patch
  due to an additional related vulnerability in the same file.

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2007-003-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2007-003-patch.txt.asc

*** src/lib/gssapi/krb5/k5unseal.c	(revision 19510)
- --- src/lib/gssapi/krb5/k5unseal.c	(revision 19511)
***************
*** 457,464 ****
  
      if ((ctx->initiate && direction != 0xff) ||
  	(!ctx->initiate && direction != 0)) {
! 	if (toktype == KG_TOK_SEAL_MSG)
  	    xfree(token.value);
  	*minor_status = G_BAD_DIRECTION;
  	return(GSS_S_BAD_SIG);
      }
- --- 457,467 ----
  
      if ((ctx->initiate && direction != 0xff) ||
  	(!ctx->initiate && direction != 0)) {
! 	if (toktype == KG_TOK_SEAL_MSG) {
  	    xfree(token.value);
+ 	    message_buffer->value = NULL;
+ 	    message_buffer->length = 0;
+ 	}
  	*minor_status = G_BAD_DIRECTION;
  	return(GSS_S_BAD_SIG);
      }

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CVE-2007-1216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1216

CERT: VU#419344
http://www.kb.cert.org/vuls/id/419344

ACKNOWLEDGMENTS
===============

This bug was found while exercising the GSS-API library using the
GSSTEST test program provided by SAP AG.

Shiva Persaud of IBM alerted us to an ambiguity in the wording of a
draft of this advisory.

DETAILS
=======

The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees
memory allocated for the "message_buffer" gss_buffer_t when it detects
an invalid direction encoding on the message.  It does not set the
pointer to NULL, nor does it set the length to zero.  An application
subsequently calling gss_release_buffer() on this gss_buffer_t will
cause memory to be freed twice.

Much code provided with MIT krb5 does not attempt to call
gss_release_buffer() when gss_unseal() or gss_unwrap() fails, even
though the GSS-API C-bindings specification permits it to do so.  The
RPCSEC_GSS authentication flavor for the RPC library, introduced in
krb5-1.4, does call gss_release_buffer() when gss_unwrap() fails.
This allows an authenticated attacker to trigger a double-free
situation.

Third-party applications calling the RPC library provided with MIT
krb5 and using the RPCSEC_GSS authentication flavor are vulnerable.
Third-party applications calling the MIT GSS-API library are
vulnerable if they call gss_release_buffer() when they experience
errors from gss_unseal() or gss_unwrap().

REVISION HISTORY
================

2007-04-03      original release

Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRhKVU6bDgE/zdoE9AQJS0gP/fieb8glCvyZHOiJkVRGGbtzzSPC2RcHN
IkuF+aJo+KaKSFE+aKjce6Yx8jbOeqXx6CJe6UivGwXr1yyp31dh4B92N+3kMJlk
bsNlmNJOg2iOAo+YTINokfIwsYZSWcAv1UVjhTYlev0sn9IdI/a1NNhNpIvkSDg0
NdPwbLy4wi8=
=MwHB
-----END PGP SIGNATURE-----