CERTVU:38336MIT Kerberos 5 ksu may allow either the '-r' or '-l' time-interval parameter to overflow the stack with the characters ''d', 'h', 'm', or 's'
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
9.8%
Overview
Description
From the reporter:
Time-interval parsing for the “-r” and “-l” command-line options calls a library routine which uses sscanf(“%d%[d]”) and passes the address of an automatic int variable to correspond to the second %-sequence. But the %[ sequence needs an arbitrarily large string buffer. So it’s possible to get an arbitrary-length string consisting entirely of the letter ‘d’ written to the stack. Other sscanf formats it tries to use will also allow a string of ‘h’, ‘m’, or ‘s’ characters to be written, with all characters the same in any string.
Impact
Local user may be able to crash the machine by overwriting the stack with the characters ‘d’, ‘h’, ‘m’, or ‘s’
Solution
Vendor Information
Javascript is disabled. Click here to view vendors.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This document was written by Jeff S Havrilla.
Other Information
| CVE IDs: | CVE-2000-0392 |
|---|---|
| CERT Advisory: | CA-2000-06 Date Public: |
Related
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
9.8%