[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MITKRB5-SA-2007-004: kadmind multiple RPC lib vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 MIT krb5 Security Advisory 2007-004

Original release: 2007-06-26
Last update: 2007-06-26

Topic: kadmind affected by multiple RPC library vulnerabilities

Severity: CRITICAL

CVE: CVE-2007-2442
CERT: VU#356961

CVE: CVE-2007-2443
CERT: VU#365313

SUMMARY
=======

The MIT krb5 Kerberos administration daemon (kadmind) is affected by
multiple vulnerabilities in the RPC library shipped with MIT krb5.

CVE-2007-2442/VU#356961: The RPC library can free an uninitialized
pointer.  This may lead to execution of arbitrary code.

CVE-2007-2443/VU#365313: The RPC library can write past the end of a
stack buffer.  This may (but is unlikely to) lead to execution of
arbitrary code.

Third-party applications using the RPC library provided with MIT krb5
may also be vulnerable.  Other RPC libraries derived from SunRPC may
be vulnerable to CVE-2007-2443.

Exploitation of these vulnerabilities is believed to be difficult.
(See DETAILS.) Proof-of-concept exploits which do not cause execution
of unintended code exist but are not known to be publicly circulated.

This is a bug in the RPC library included with MIT krb5, which is used
by kadmind and by some third-party applications.  It is not a bug in
the Kerberos protocol.

IMPACT
======

An unauthenticated remote user may be able to cause a host running
kadmind to execute arbitrary code.  CVE-2007-2442 is more likely to
lead to arbitrary code execution than CVE-2007-2443.

Successful exploitation can compromise the Kerberos key database and
host security on the host running these programs.  (kadmind typically
runs as root.)  Unsuccessful exploitation attempts will likely result
in the affected program crashing.

Third-party applications calling the RPC library provided with MIT
krb5 may be vulnerable.  Other RPC libraries derived from SunRPC may
be vulnerable.

AFFECTED SOFTWARE
=================

* kadmind from MIT releases up to and including krb5-1.6.1

* third-party applications calling the RPC library included in MIT
  releases up to and including krb5-1.6.1

FIXES
=====

* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4
  maintenance release, will contain fixes for this vulnerability.

Prior to that release you may:

* apply the patch

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2007-004-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2007-004-patch.txt.asc

*** src/lib/rpc/svc_auth_gssapi.c       (revision 20015)
- --- src/lib/rpc/svc_auth_gssapi.c     (local)
***************
*** 149,154 ****
- --- 149,156 ----
       rqst->rq_xprt->xp_auth = &svc_auth_none;
       
       memset((char *) &call_res, 0, sizeof(call_res));
+      creds.client_handle.length = 0;
+      creds.client_handle.value = NULL;
       
       cred = &msg->rm_call.cb_cred;
       verf = &msg->rm_call.cb_verf;
*** src/lib/rpc/svc_auth_unix.c (revision 20015)
- --- src/lib/rpc/svc_auth_unix.c       (local)
***************
*** 64,71 ****
                char area_machname[MAX_MACHINE_NAME+1];
                int area_gids[NGRPS];
        } *area;
!       u_int auth_len;
!       int str_len, gid_len;
        register int i;
  
        rqst->rq_xprt->xp_auth = &svc_auth_none;
- --- 64,70 ----
                char area_machname[MAX_MACHINE_NAME+1];
                int area_gids[NGRPS];
        } *area;
!       u_int auth_len, str_len, gid_len;
        register int i;
  
        rqst->rq_xprt->xp_auth = &svc_auth_none;
***************
*** 74,80 ****
        aup = &area->area_aup;
        aup->aup_machname = area->area_machname;
        aup->aup_gids = area->area_gids;
!       auth_len = (u_int)msg->rm_call.cb_cred.oa_length;
        xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
        buf = XDR_INLINE(&xdrs, (int)auth_len);
        if (buf != NULL) {
- --- 73,81 ----
        aup = &area->area_aup;
        aup->aup_machname = area->area_machname;
        aup->aup_gids = area->area_gids;
!       auth_len = msg->rm_call.cb_cred.oa_length;
!       if (auth_len > INT_MAX)
!               return AUTH_BADCRED;
        xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE);
        buf = XDR_INLINE(&xdrs, (int)auth_len);
        if (buf != NULL) {
***************
*** 84,90 ****
                        stat = AUTH_BADCRED;
                        goto done;
                }
!               memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len);
                aup->aup_machname[str_len] = 0;
                str_len = RNDUP(str_len);
                buf += str_len / BYTES_PER_XDR_UNIT;
- --- 85,91 ----
                        stat = AUTH_BADCRED;
                        goto done;
                }
!               memmove(aup->aup_machname, buf, str_len);
                aup->aup_machname[str_len] = 0;
                str_len = RNDUP(str_len);
                buf += str_len / BYTES_PER_XDR_UNIT;
***************
*** 104,110 ****
                 * timestamp, hostname len (0), uid, gid, and gids len (0).
                 */
                if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
!                       (void) printf("bad auth_len gid %d str %d auth %d\n",
                            gid_len, str_len, auth_len);
                        stat = AUTH_BADCRED;
                        goto done;
- --- 105,111 ----
                 * timestamp, hostname len (0), uid, gid, and gids len (0).
                 */
                if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) {
!                       (void) printf("bad auth_len gid %u str %u auth %u\n",
                            gid_len, str_len, auth_len);
                        stat = AUTH_BADCRED;
                        goto done;

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CVE-2007-2442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442

CVE: CVE-2007-2443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443

CERT: VU#356961
http://www.kb.cert.org/vuls/id/356961

CERT: VU#365313
http://www.kb.cert.org/vuls/id/365313

ACKNOWLEDGMENTS
===============

We thank McAfee, Inc. for the initial notification.  Wei Wang of
McAfee Avert Labs discovered these vulnerabilities.

DETAILS
=======

CVE-2007-2442: The function gssrpc__svcauth_gssapi() in
src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds"
of type auth_gssapi_creds.  This type includes a gss_buffer_desc
(which includes a pointer to void used as a pointer to a buffer of
bytes).  If gssrpc__svcauth_gssapi() receives an RPC credential with a
length of zero, it jumps to the label "error", which executes some
cleanup code.  At this point, the gss_buffer_desc in "creds" is not
yet initialized, and the cleanup code calls xdr_free() on "creds",
which then attempts to free the memory pointed to by the uninitialized
"value" member of the gss_buffer_desc.

Exploitation of freeing of invalid pointers is believed to be
difficult, and depends on a variety of factors specific to a given
malloc implementation.

CVE-2007-2443: The function gssrpc__svcauth_unix() in
src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from
IXDR_GET_U_LONG into a signed integer variable "str_len".
Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME,
which will always be true of "str_len" is negative, which can happen
when a large unsigned integer is converted to a signed integer.  Once
the length check succeeds, gssrpc__svcauth_unix() calls memmove() with
a length of "str_len" with the target in a stack buffer.

This vulnerability is believed to be difficult to exploit because the
memmove() implementation receives a very large number (a negative
integer converted to a large unsigned value), which will almost
certainly cause some sort of memory access fault prior to returning.
This probably avoids any usage of the corrupted return address in the
overwritten stack frame.  Note that some (perhaps unlikely) memmove()
implementations may call other procedures and thus may be vulnerable
to corrupted return addresses.

REVISION HISTORY
================

2007-06-26      original release

Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRoFJz6bDgE/zdoE9AQL7gAP9E854ZZEi6Vk4sl0CbNYW3UifSZd4MQy2
djW5S/sO93k0Tji/+VQwyG5iIiWIsfotaS66ZuU80K8YTiEfXmyDp81uUUvRMJFT
8i4/L1yf43gA49GF8PV3QqS5QmzMoz8x0vp9OyUq4S/Yh4MpkcnTHW9xU1Fxdhe/
ZJxXE06kRIU=
=Fcvv
-----END PGP SIGNATURE-----