-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2007-004 Original release: 2007-06-26 Last update: 2007-06-26 Topic: kadmind affected by multiple RPC library vulnerabilities Severity: CRITICAL CVE: CVE-2007-2442 CERT: VU#356961 CVE: CVE-2007-2443 CERT: VU#365313 SUMMARY ======= The MIT krb5 Kerberos administration daemon (kadmind) is affected by multiple vulnerabilities in the RPC library shipped with MIT krb5. CVE-2007-2442/VU#356961: The RPC library can free an uninitialized pointer. This may lead to execution of arbitrary code. CVE-2007-2443/VU#365313: The RPC library can write past the end of a stack buffer. This may (but is unlikely to) lead to execution of arbitrary code. Third-party applications using the RPC library provided with MIT krb5 may also be vulnerable. Other RPC libraries derived from SunRPC may be vulnerable to CVE-2007-2443. Exploitation of these vulnerabilities is believed to be difficult. (See DETAILS.) Proof-of-concept exploits which do not cause execution of unintended code exist but are not known to be publicly circulated. This is a bug in the RPC library included with MIT krb5, which is used by kadmind and by some third-party applications. It is not a bug in the Kerberos protocol. IMPACT ====== An unauthenticated remote user may be able to cause a host running kadmind to execute arbitrary code. CVE-2007-2442 is more likely to lead to arbitrary code execution than CVE-2007-2443. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling the RPC library provided with MIT krb5 may be vulnerable. Other RPC libraries derived from SunRPC may be vulnerable. AFFECTED SOFTWARE ================= * kadmind from MIT releases up to and including krb5-1.6.1 * third-party applications calling the RPC library included in MIT releases up to and including krb5-1.6.1 FIXES ===== * The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4 maintenance release, will contain fixes for this vulnerability. Prior to that release you may: * apply the patch This patch is also available at http://web.mit.edu/kerberos/advisories/2007-004-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2007-004-patch.txt.asc *** src/lib/rpc/svc_auth_gssapi.c (revision 20015) - --- src/lib/rpc/svc_auth_gssapi.c (local) *************** *** 149,154 **** - --- 149,156 ---- rqst->rq_xprt->xp_auth = &svc_auth_none; memset((char *) &call_res, 0, sizeof(call_res)); + creds.client_handle.length = 0; + creds.client_handle.value = NULL; cred = &msg->rm_call.cb_cred; verf = &msg->rm_call.cb_verf; *** src/lib/rpc/svc_auth_unix.c (revision 20015) - --- src/lib/rpc/svc_auth_unix.c (local) *************** *** 64,71 **** char area_machname[MAX_MACHINE_NAME+1]; int area_gids[NGRPS]; } *area; ! u_int auth_len; ! int str_len, gid_len; register int i; rqst->rq_xprt->xp_auth = &svc_auth_none; - --- 64,70 ---- char area_machname[MAX_MACHINE_NAME+1]; int area_gids[NGRPS]; } *area; ! u_int auth_len, str_len, gid_len; register int i; rqst->rq_xprt->xp_auth = &svc_auth_none; *************** *** 74,80 **** aup = &area->area_aup; aup->aup_machname = area->area_machname; aup->aup_gids = area->area_gids; ! auth_len = (u_int)msg->rm_call.cb_cred.oa_length; xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); buf = XDR_INLINE(&xdrs, (int)auth_len); if (buf != NULL) { - --- 73,81 ---- aup = &area->area_aup; aup->aup_machname = area->area_machname; aup->aup_gids = area->area_gids; ! auth_len = msg->rm_call.cb_cred.oa_length; ! if (auth_len > INT_MAX) ! return AUTH_BADCRED; xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); buf = XDR_INLINE(&xdrs, (int)auth_len); if (buf != NULL) { *************** *** 84,90 **** stat = AUTH_BADCRED; goto done; } ! memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len); aup->aup_machname[str_len] = 0; str_len = RNDUP(str_len); buf += str_len / BYTES_PER_XDR_UNIT; - --- 85,91 ---- stat = AUTH_BADCRED; goto done; } ! memmove(aup->aup_machname, buf, str_len); aup->aup_machname[str_len] = 0; str_len = RNDUP(str_len); buf += str_len / BYTES_PER_XDR_UNIT; *************** *** 104,110 **** * timestamp, hostname len (0), uid, gid, and gids len (0). */ if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { ! (void) printf("bad auth_len gid %d str %d auth %d\n", gid_len, str_len, auth_len); stat = AUTH_BADCRED; goto done; - --- 105,111 ---- * timestamp, hostname len (0), uid, gid, and gids len (0). */ if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { ! (void) printf("bad auth_len gid %u str %u auth %u\n", gid_len, str_len, auth_len); stat = AUTH_BADCRED; goto done; REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2007-2442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442 CVE: CVE-2007-2443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443 CERT: VU#356961 http://www.kb.cert.org/vuls/id/356961 CERT: VU#365313 http://www.kb.cert.org/vuls/id/365313 ACKNOWLEDGMENTS =============== We thank McAfee, Inc. for the initial notification. Wei Wang of McAfee Avert Labs discovered these vulnerabilities. DETAILS ======= CVE-2007-2442: The function gssrpc__svcauth_gssapi() in src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds" of type auth_gssapi_creds. This type includes a gss_buffer_desc (which includes a pointer to void used as a pointer to a buffer of bytes). If gssrpc__svcauth_gssapi() receives an RPC credential with a length of zero, it jumps to the label "error", which executes some cleanup code. At this point, the gss_buffer_desc in "creds" is not yet initialized, and the cleanup code calls xdr_free() on "creds", which then attempts to free the memory pointed to by the uninitialized "value" member of the gss_buffer_desc. Exploitation of freeing of invalid pointers is believed to be difficult, and depends on a variety of factors specific to a given malloc implementation. CVE-2007-2443: The function gssrpc__svcauth_unix() in src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from IXDR_GET_U_LONG into a signed integer variable "str_len". Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME, which will always be true of "str_len" is negative, which can happen when a large unsigned integer is converted to a signed integer. Once the length check succeeds, gssrpc__svcauth_unix() calls memmove() with a length of "str_len" with the target in a stack buffer. This vulnerability is believed to be difficult to exploit because the memmove() implementation receives a very large number (a negative integer converted to a large unsigned value), which will almost certainly cause some sort of memory access fault prior to returning. This probably avoids any usage of the corrupted return address in the overwritten stack frame. Note that some (perhaps unlikely) memmove() implementations may call other procedures and thus may be vulnerable to corrupted return addresses. REVISION HISTORY ================ 2007-06-26 original release Copyright (C) 2007 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (SunOS) iQCVAwUBRoFJz6bDgE/zdoE9AQL7gAP9E854ZZEi6Vk4sl0CbNYW3UifSZd4MQy2 djW5S/sO93k0Tji/+VQwyG5iIiWIsfotaS66ZuU80K8YTiEfXmyDp81uUUvRMJFT 8i4/L1yf43gA49GF8PV3QqS5QmzMoz8x0vp9OyUq4S/Yh4MpkcnTHW9xU1Fxdhe/ ZJxXE06kRIU= =Fcvv -----END PGP SIGNATURE-----