CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon

Original issue date: October 25, 2002
Last revised: –
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

 * MIT  Kerberos  version  4  and  version  5  up  to  and  including
   krb5-1.2.6
 * KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version
   0.5.1
 * Other  Kerberos implementations derived from vulnerable MIT or KTH
   code

Overview

Multiple Kerberos distributions contain a remotely exploitable buffer
overflow in the Kerberos administration daemon. A remote attacker
could exploit this vulnerability to gain root privileges on a
vulnerable system.

The CERT/CC has received reports that indicate that this vulnerability
is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002
notes that an exploit is circulating.

We strongly encourage sites that use vulnerable Kerberos distributions
to verify the integrity of their systems and apply patches or upgrade
as appropriate.

I. Description

Kerberos is a widely used network protocol that uses strong
cryptography to authenticate clients and servers. The Kerberos
administration daemon (typically called kadmind) handles password
change and other requests to modify the Kerberos database. The daemon
runs on the master Key Distribution Center (KDC) server of a Kerberos
realm.

The code that provides legacy support for the Kerberos 4
administration protocol contains a remotely exploitable buffer
overflow. The vulnerable code does not adequately validate data read
from a network request. This data is subsequently used as an argument
to a memcpy() call, which can overflow a buffer allocated on the
stack. An attacker does not have to authenticate in order to exploit
this vulnerability, and the Kerberos administration daemon runs with
root privileges.

Both Massachusetts Institute of Technology (MIT) and Kungl Tekniska
HЖgskolan (KTH) Kerberos are affected, as well as operating systems,
applications, and other Kerberos implementations that use vulnerable
code derived from either the MIT or KTH distributions. In MIT Kerberos
5, the Kerberos 4 administration daemon is implemented in kadmind4. In
KTH Kerberos 4 (eBones), the Kerberos administration daemon is
implemented in kadmind. KTH Kerberos 5 (Heimdal) also implements the
daemon in kadmind; however, the Heimdal daemon is only affected if
compiled with Kerberos 4 support. Since the vulnerable Kerberos
administration daemon is included in the MIT Kerberos 5 and KTH
Heimdal distributions, both Kerberos 4 sites and Kerberos 5 sites that
enable support for the Kerberos 4 administration protocol are
affected.

Further information about this vulnerability may be found in
VU#875073.

MIT has released an advisory that contains information about this
vulnerability:

 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm
 4.txt

The KTH eBones and Heimdal web sites also contain information about
this vulnerability:

 KTH eBones
 http://www.pdc.kth.se/kth-krb/

 KTH Heimdal
 http://www.pdc.kth.se/kth-krb/

In addition to resolving the vulnerability described in VU#875073,
version 0.51 of KTH Heimdal contains other fixes related to the KDC.
See the ChangeLog for more information:

 ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.5-0.5.1.diff.gz

This vulnerability has been assigned CAN-2002-1235 by the Common
Vulnerabilities and Exposures (CVE) group.

II. Impact

An unauthenticated, remote attacker could execute arbitrary code with
root privileges. If an attacker is able to gain control of a master
KDC, the integrity of the entire Kerberos realm is compromised,
including user and host identities and other systems that accept
Kerberos authentication.

III. Solution

Apply a patch or upgrade

Apply the appropriate patch or upgrade as specified by your vendor.
See Appendix A below and the Systems Affected section of VU#875073 for
specific information.

Disable vulnerable service

Disable support for the Kerberos 4 administration protocol if it is
not needed. In MIT Kerberos 5, this can be achieved by disabling
kadmind4. For information about disabling all Kerberos 4 support in
MIT Kerberos 5 at compile time, see

 http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.htm
 l#SEC24

In KTH Heimdal, it is necessary to recompile kadmind in order to
disable support for the Kerberos 4 administration protocol. For
information about disabling all Kerberos 4 support in KTH Heimdal at
compile time, see

 http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Install
 ing

This solution will prevent Kerberos 4 administrative clients from
accessing the Kerberos database. It will also prevent users with
Kerberos 4 clients from changing their passwords. In general, the
CERT/CC recommends disabling any service that is not explicitly
required.

Block or restrict access

Block access to the Kerberos administration service from untrusted
networks such as the Internet. Furthermore, only allow access to the
service from trusted administrative hosts. By default, the Kerberos 4
administration daemon listens on 751/tcp and 751/udp, and the Kerberos
5 administration daemon listens on 749/tcp and 749/udp. It may be
necessary to block access to the Kerberos 5 administration service if
the daemon also supports the Kerberos 4 administration protocol. This
workaround will prevent administrative connections and password change
requests from blocked networks. Note that this workaround will not
prevent exploitation, but it will limit the possible sources of
attacks.

Appendix A. Vendor Information

This appendix contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.

Apple Computer, Inc.

 The  Kerberos  Administration Daemon was included in Mac OS X 10.0,
 but removed in Mac OS X 10.1 and later.
 We  encourage  sites  that use vulnerable Kerberos distributions to
 verify  the integrity of their systems and apply patches or upgrade
 as appropriate.

Conectiva

 Our  MIT  Kerberos  5  packages in Conectiva Linux 8 do contain the
 vulnerable kadmind4 daemon, but it is not used by default nor is it
 installed as a service.

 Updated packages are being uploaded to our ftp server and should be
 available in a few hours at:

   ftp://atualizacoes.conectiva.com.br/8/

 The  krb5-server-1.2.3-3U8_3cl.i386.rpm  package contains a patched
 kadmind4  daemon.  An  announcement  will  be  sent to our security
 mailing list a few hours after the upload is complete.

Debian

 Debian has released DSA-178:

   http://www.debian.org/security/2002/dsa-178

FreeBSD

 Both the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind
 v4  compatibility)  daemons were vulnerable and have been corrected
 as  of  23  October  2002.  In addition, the heimdal and krb5 ports
 contained  the  same vulnerability and have been corrected as of 24
 October 2002. A Security Advisory is in progress.

KTH Kerberos

 The  eBones  and  Heimdal  web  sites  have  information about this
 vulnerability:

   KTH eBones
   http://www.pdc.kth.se/kth-krb/
 
   KTH Heimdal
   http://www.pdc.kth.se/kth-krb/

Microsoft Corporation

 Microsoft's  implementation  of  Kerberos  is  not affected by this
 vulnerability.

MIT Kerberos

 MIT has released MIT krb5 Security Advisory 2002-002:

   http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-ka
   dm4.txt

NetBSD

 NetBSD has released NetBSD-SA2002-026:

   ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002
   -026.txt.asc

OpenBSD

 OpenBSD  has released Security Fix 016 for OpenBSD 3.1 and Security
 Fix 033 for OpenBSD 3.0.

   OpenBSD 3.1
   http://www.openbsd.org/errata31.html#kadmin

   OpenBSD 3.0
   http://www.openbsd.org/errata30.html#kadmin

Openwall

 Openwall GNU/*/Linux is not vulnerable. We don't provide Kerberos.

SuSE

 SuSE  Linux  7.2  and  later  are  shipped  with  Heimdal  Kerberos
 included,  but  Kerberos  4  support  is  disabled in all releases.
 Therefore, SuSE Linux and SuSE Enterprise Linux are not affected by
 this bug. [See also: SuSE-SA:2002:034]

Wind River Systems (BSDI)

 No version of BSD/OS is vulnerable to this problem.

Appendix B. References

 * http://web.mit.edu/kerberos/www/
 * http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kad
   m4.txt
 * http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.ht
   ml#SEC24
 * http://www.pdc.kth.se/kth-krb/
 * http://www.pdc.kth.se/heimdal/
 * http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Instal
   ling

 _________________________________________________________________

Authors: Art Manion and Jason A. Rafail.

---

This document is available from:
http://www.cert.org/advisories/CA-2002-29.html

---

CERT/CC Contact Information

Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site
http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,
send email to [email protected]. Please include in the body of your
message

subscribe cert-advisory

• "CERT" and "CERT Coordination Center" are registered in the U.S.
  Patent and Trademark Office.

---

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2002 Carnegie Mellon University.

Revision History

October 25, 2002: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPbluwGjtSoHZUTs5AQFRbgQApOEHrz7fSu37W8quhTH34fn4E3Jq/Aih
fTTy4b+hVwLujxlws+5lgug9vBd/QVrZEPT+g7xqBNtpsG+XBlAvUDIZJytKz6vN
rTZbMEyKc6PK92n4OJ1iRgG7WaZibEXaeScZSclEgY8yAkQmoVZUzvwzgZaFXXfQ
ihRKZyB9lbc=
=/bkR
-----END PGP SIGNATURE-----