diff options
author | Ladislav Hagara | 2007-07-03 23:15:44 +0200 |
---|---|---|
committer | Eric Sandall | 2007-07-03 15:20:38 -0700 |
commit | bc45feaf419143ab0729ba4b70938d2e68914bbb (patch) | |
tree | 5f483be3bb1b66b53989473387fa3e427deb39a5 | |
parent | 686ee83fcfd5b1747401819d7d82729b65445bc0 (diff) |
krb5: SECURITY_PATCH++
(cherry picked from commit a9a0dd16078ef576b8f301792bf707d9ea20c85b)
-rwxr-xr-x | crypto/krb5/BUILD | 4 | ||||
-rwxr-xr-x | crypto/krb5/DETAILS | 2 | ||||
-rw-r--r-- | crypto/krb5/HISTORY | 4 | ||||
-rw-r--r-- | crypto/krb5/MITKRB5-SA-2007-004.txt | 257 | ||||
-rw-r--r-- | crypto/krb5/MITKRB5-SA-2007-005.txt | 229 |
5 files changed, 495 insertions, 1 deletions
diff --git a/crypto/krb5/BUILD b/crypto/krb5/BUILD index 14d12068f3..3730757dad 100755 --- a/crypto/krb5/BUILD +++ b/crypto/krb5/BUILD @@ -6,6 +6,10 @@ fi cd $SPELL-$VERSION/src && +# Kerberos Security Advisories +patch -p1 < $SCRIPT_DIRECTORY/MITKRB5-SA-2007-004.txt && +patch -p1 < $SCRIPT_DIRECTORY/MITKRB5-SA-2007-005.txt && + ./configure --enable-dns-for-kdc \ --enable-dns-for-realm \ --infodir=/usr/share/info \ diff --git a/crypto/krb5/DETAILS b/crypto/krb5/DETAILS index 5ebfceb076..e8c04db545 100755 --- a/crypto/krb5/DETAILS +++ b/crypto/krb5/DETAILS @@ -9,7 +9,7 @@ SOURCE_DIRECTORY=$BUILD_DIRECTORY/$SPELL-$VERSION ENTERED=20020215 LICENSE[0]=http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6/doc/krb5-install.html#Copyright PATCHLEVEL=0 - SECURITY_PATCH=3 + SECURITY_PATCH=4 KEYWORDS="security crypto" SHORT="Kerberos 5 network security protocol" cat << EOF diff --git a/crypto/krb5/HISTORY b/crypto/krb5/HISTORY index 6c9544469b..00832c3df5 100644 --- a/crypto/krb5/HISTORY +++ b/crypto/krb5/HISTORY @@ -1,3 +1,7 @@ +2007-07-03 Ladislav Hagara <hgr@vabo.cz> + * DETAILS: SECURITY_PATCH=4 + * BUILD, MITKRB5-SA-2007-00[45].txt: added security patches + 2007-04-24 Ladislav Hagara <hgr@vabo.cz> * DETAILS: 1.6.1 * BUILD, 2007-00[123]-patch.txt: removed patches diff --git a/crypto/krb5/MITKRB5-SA-2007-004.txt b/crypto/krb5/MITKRB5-SA-2007-004.txt new file mode 100644 index 0000000000..33051b7858 --- /dev/null +++ b/crypto/krb5/MITKRB5-SA-2007-004.txt @@ -0,0 +1,257 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + MIT krb5 Security Advisory 2007-004 + +Original release: 2007-06-26 +Last update: 2007-06-26 + +Topic: kadmind affected by multiple RPC library vulnerabilities + +Severity: CRITICAL + +CVE: CVE-2007-2442 +CERT: VU#356961 + +CVE: CVE-2007-2443 +CERT: VU#365313 + +SUMMARY +======= + +The MIT krb5 Kerberos administration daemon (kadmind) is affected by +multiple vulnerabilities in the RPC library shipped with MIT krb5. + +CVE-2007-2442/VU#356961: The RPC library can free an uninitialized +pointer. This may lead to execution of arbitrary code. + +CVE-2007-2443/VU#365313: The RPC library can write past the end of a +stack buffer. This may (but is unlikely to) lead to execution of +arbitrary code. + +Third-party applications using the RPC library provided with MIT krb5 +may also be vulnerable. Other RPC libraries derived from SunRPC may +be vulnerable to CVE-2007-2443. + +Exploitation of these vulnerabilities is believed to be difficult. +(See DETAILS.) Proof-of-concept exploits which do not cause execution +of unintended code exist but are not known to be publicly circulated. + +This is a bug in the RPC library included with MIT krb5, which is used +by kadmind and by some third-party applications. It is not a bug in +the Kerberos protocol. + +IMPACT +====== + +An unauthenticated remote user may be able to cause a host running +kadmind to execute arbitrary code. CVE-2007-2442 is more likely to +lead to arbitrary code execution than CVE-2007-2443. + +Successful exploitation can compromise the Kerberos key database and +host security on the host running these programs. (kadmind typically +runs as root.) Unsuccessful exploitation attempts will likely result +in the affected program crashing. + +Third-party applications calling the RPC library provided with MIT +krb5 may be vulnerable. Other RPC libraries derived from SunRPC may +be vulnerable. + +AFFECTED SOFTWARE +================= + +* kadmind from MIT releases up to and including krb5-1.6.1 + +* third-party applications calling the RPC library included in MIT + releases up to and including krb5-1.6.1 + +FIXES +===== + +* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4 + maintenance release, will contain fixes for this vulnerability. + +Prior to that release you may: + +* apply the patch + + This patch is also available at + + http://web.mit.edu/kerberos/advisories/2007-004-patch.txt + + A PGP-signed patch is available at + + http://web.mit.edu/kerberos/advisories/2007-004-patch.txt.asc + +*** src/lib/rpc/svc_auth_gssapi.c (revision 20015) +- --- src/lib/rpc/svc_auth_gssapi.c (local) +*************** +*** 149,154 **** +- --- 149,156 ---- + rqst->rq_xprt->xp_auth = &svc_auth_none; + + memset((char *) &call_res, 0, sizeof(call_res)); ++ creds.client_handle.length = 0; ++ creds.client_handle.value = NULL; + + cred = &msg->rm_call.cb_cred; + verf = &msg->rm_call.cb_verf; +*** src/lib/rpc/svc_auth_unix.c (revision 20015) +- --- src/lib/rpc/svc_auth_unix.c (local) +*************** +*** 64,71 **** + char area_machname[MAX_MACHINE_NAME+1]; + int area_gids[NGRPS]; + } *area; +! u_int auth_len; +! int str_len, gid_len; + register int i; + + rqst->rq_xprt->xp_auth = &svc_auth_none; +- --- 64,70 ---- + char area_machname[MAX_MACHINE_NAME+1]; + int area_gids[NGRPS]; + } *area; +! u_int auth_len, str_len, gid_len; + register int i; + + rqst->rq_xprt->xp_auth = &svc_auth_none; +*************** +*** 74,80 **** + aup = &area->area_aup; + aup->aup_machname = area->area_machname; + aup->aup_gids = area->area_gids; +! auth_len = (u_int)msg->rm_call.cb_cred.oa_length; + xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); + buf = XDR_INLINE(&xdrs, (int)auth_len); + if (buf != NULL) { +- --- 73,81 ---- + aup = &area->area_aup; + aup->aup_machname = area->area_machname; + aup->aup_gids = area->area_gids; +! auth_len = msg->rm_call.cb_cred.oa_length; +! if (auth_len > INT_MAX) +! return AUTH_BADCRED; + xdrmem_create(&xdrs, msg->rm_call.cb_cred.oa_base, auth_len,XDR_DECODE); + buf = XDR_INLINE(&xdrs, (int)auth_len); + if (buf != NULL) { +*************** +*** 84,90 **** + stat = AUTH_BADCRED; + goto done; + } +! memmove(aup->aup_machname, (caddr_t)buf, (u_int)str_len); + aup->aup_machname[str_len] = 0; + str_len = RNDUP(str_len); + buf += str_len / BYTES_PER_XDR_UNIT; +- --- 85,91 ---- + stat = AUTH_BADCRED; + goto done; + } +! memmove(aup->aup_machname, buf, str_len); + aup->aup_machname[str_len] = 0; + str_len = RNDUP(str_len); + buf += str_len / BYTES_PER_XDR_UNIT; +*************** +*** 104,110 **** + * timestamp, hostname len (0), uid, gid, and gids len (0). + */ + if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { +! (void) printf("bad auth_len gid %d str %d auth %d\n", + gid_len, str_len, auth_len); + stat = AUTH_BADCRED; + goto done; +- --- 105,111 ---- + * timestamp, hostname len (0), uid, gid, and gids len (0). + */ + if ((5 + gid_len) * BYTES_PER_XDR_UNIT + str_len > auth_len) { +! (void) printf("bad auth_len gid %u str %u auth %u\n", + gid_len, str_len, auth_len); + stat = AUTH_BADCRED; + goto done; + +REFERENCES +========== + +This announcement is posted at: + + http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt + +This announcement and related security advisories may be found on the +MIT Kerberos security advisory page at: + + http://web.mit.edu/kerberos/advisories/index.html + +The main MIT Kerberos web page is at: + + http://web.mit.edu/kerberos/index.html + +CVE: CVE-2007-2442 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442 + +CVE: CVE-2007-2443 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2443 + +CERT: VU#356961 +http://www.kb.cert.org/vuls/id/356961 + +CERT: VU#365313 +http://www.kb.cert.org/vuls/id/365313 + +ACKNOWLEDGMENTS +=============== + +We thank McAfee, Inc. for the initial notification. Wei Wang of +McAfee Avert Labs discovered these vulnerabilities. + +DETAILS +======= + +CVE-2007-2442: The function gssrpc__svcauth_gssapi() in +src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds" +of type auth_gssapi_creds. This type includes a gss_buffer_desc +(which includes a pointer to void used as a pointer to a buffer of +bytes). If gssrpc__svcauth_gssapi() receives an RPC credential with a +length of zero, it jumps to the label "error", which executes some +cleanup code. At this point, the gss_buffer_desc in "creds" is not +yet initialized, and the cleanup code calls xdr_free() on "creds", +which then attempts to free the memory pointed to by the uninitialized +"value" member of the gss_buffer_desc. + +Exploitation of freeing of invalid pointers is believed to be +difficult, and depends on a variety of factors specific to a given +malloc implementation. + +CVE-2007-2443: The function gssrpc__svcauth_unix() in +src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from +IXDR_GET_U_LONG into a signed integer variable "str_len". +Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME, +which will always be true of "str_len" is negative, which can happen +when a large unsigned integer is converted to a signed integer. Once +the length check succeeds, gssrpc__svcauth_unix() calls memmove() with +a length of "str_len" with the target in a stack buffer. + +This vulnerability is believed to be difficult to exploit because the +memmove() implementation receives a very large number (a negative +integer converted to a large unsigned value), which will almost +certainly cause some sort of memory access fault prior to returning. +This probably avoids any usage of the corrupted return address in the +overwritten stack frame. Note that some (perhaps unlikely) memmove() +implementations may call other procedures and thus may be vulnerable +to corrupted return addresses. + +REVISION HISTORY +================ + +2007-06-26 original release + +Copyright (C) 2007 Massachusetts Institute of Technology +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.6 (SunOS) + +iQCVAwUBRoFJz6bDgE/zdoE9AQL7gAP9E854ZZEi6Vk4sl0CbNYW3UifSZd4MQy2 +djW5S/sO93k0Tji/+VQwyG5iIiWIsfotaS66ZuU80K8YTiEfXmyDp81uUUvRMJFT +8i4/L1yf43gA49GF8PV3QqS5QmzMoz8x0vp9OyUq4S/Yh4MpkcnTHW9xU1Fxdhe/ +ZJxXE06kRIU= +=Fcvv +-----END PGP SIGNATURE----- diff --git a/crypto/krb5/MITKRB5-SA-2007-005.txt b/crypto/krb5/MITKRB5-SA-2007-005.txt new file mode 100644 index 0000000000..3c578240c2 --- /dev/null +++ b/crypto/krb5/MITKRB5-SA-2007-005.txt @@ -0,0 +1,229 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + MIT krb5 Security Advisory 2007-005 + +Original release: 2007-06-26 +Last update: 2007-06-26 + +Topic: kadmind vulnerable to buffer overflow + +Severity: CRITICAL + +CVE: CVE-2007-2798 +CERT: VU#554257 + +SUMMARY +======= + +The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to +a stack buffer overflow. + +Exploitation of overflows of stack buffers is known to be simple. We +have received a proof-of-concept exploit which may invoke a shell, but +we believe that this exploit is not publicly circulated. + +This is a bug in kadmind in MIT krb5. It is not a bug in the Kerberos +protocol. + +IMPACT +====== + +An authenticated remote user may be able to cause a host running +kadmind to execute arbitrary code. + +Successful exploitation can compromise the Kerberos key database and +host security on the KDC host. (kadmind typically runs as root.) +Unsuccessful exploitation attempts will likely result in kadmind +crashing. + +AFFECTED SOFTWARE +================= + +* kadmind from MIT releases up to and including krb5-1.6.1 + +FIXES +===== + +* The upcoming krb5-1.6.2 release, as well as the upcoming krb5-1.5.4 + maintenance release, will contain fixes for this vulnerability. + +Prior to that release you may: + +* apply the patch + +This patch has the patch in MITKRB5-SA-2007-002 as a prerequisite. +The krb5-1.6.1 and krb5-1.5.3 releases already contains the +prerequisite patch. + + This patch is also available at + + http://web.mit.edu/kerberos/advisories/2007-005-patch.txt + + A PGP-signed patch is available at + + http://web.mit.edu/kerberos/advisories/2007-005-patch.txt.asc + +*** src/kadmin/server/server_stubs.c (revision 20024) +- --- src/kadmin/server/server_stubs.c (local) +*************** +*** 545,557 **** + static generic_ret ret; + char *prime_arg1, + *prime_arg2; +- - char prime_arg[BUFSIZ]; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + char *errmsg; + + xdr_free(xdr_generic_ret, &ret); + +- --- 545,558 ---- + static generic_ret ret; + char *prime_arg1, + *prime_arg2; + gss_buffer_desc client_name, + service_name; + OM_uint32 minor_stat; + kadm5_server_handle_t handle; + restriction_t *rp; + char *errmsg; ++ size_t tlen1, tlen2, clen, slen; ++ char *tdots1, *tdots2, *cdots, *sdots; + + xdr_free(xdr_generic_ret, &ret); + +*************** +*** 572,578 **** + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; + } +! sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2); + + ret.code = KADM5_OK; + if (! CHANGEPW_SERVICE(rqstp)) { +- --- 573,586 ---- + ret.code = KADM5_BAD_PRINCIPAL; + goto exit_func; + } +! tlen1 = strlen(prime_arg1); +! trunc_name(&tlen1, &tdots1); +! tlen2 = strlen(prime_arg2); +! trunc_name(&tlen2, &tdots2); +! clen = client_name.length; +! trunc_name(&clen, &cdots); +! slen = service_name.length; +! trunc_name(&slen, &sdots); + + ret.code = KADM5_OK; + if (! CHANGEPW_SERVICE(rqstp)) { +*************** +*** 590,597 **** + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +! log_unauth("kadm5_rename_principal", prime_arg, +! &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +- --- 598,612 ---- + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +! krb5_klog_syslog(LOG_NOTICE, +! "Unauthorized request: kadm5_rename_principal, " +! "%.*s%s to %.*s%s, " +! "client=%.*s%s, service=%.*s%s, addr=%s", +! tlen1, prime_arg1, tdots1, +! tlen2, prime_arg2, tdots2, +! clen, client_name.value, cdots, +! slen, service_name.value, sdots, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +*************** +*** 600,607 **** + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! log_done("kadm5_rename_principal", prime_arg, errmsg, +! &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg1); +- --- 615,629 ---- + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +! krb5_klog_syslog(LOG_NOTICE, +! "Request: kadm5_rename_principal, " +! "%.*s%s to %.*s%s, %s, " +! "client=%.*s%s, service=%.*s%s, addr=%s", +! tlen1, prime_arg1, tdots1, +! tlen2, prime_arg2, tdots2, errmsg, +! clen, client_name.value, cdots, +! slen, service_name.value, sdots, +! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); + } + free_server_handle(handle); + free(prime_arg1); + +REFERENCES +========== + +This announcement is posted at: + + http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt + +This announcement and related security advisories may be found on the +MIT Kerberos security advisory page at: + + http://web.mit.edu/kerberos/advisories/index.html + +The main MIT Kerberos web page is at: + + http://web.mit.edu/kerberos/index.html + +CVE: CVE-2007-2798 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798 + +CERT: VU#554257 +http://www.kb.cert.org/vuls/id/554257 + +ACKNOWLEDGMENTS +=============== + +We thank iDefense for the initial notification. iDefense credits an +anonymous discoverer. + +DETAILS +======= + +The kadmind code which performs the principal renaming operation +passes unchecked string arguments to a sprintf() call which has a +fixed-size stack buffer as its destination. These strings are the old +and new principal names passed to the rename operation. The attacker +needs to authenticate to kadmind to perform this attack, but no +administrative privileges are required because the vulnerable code +executes prior to privilege verification. + +REVISION HISTORY +================ + +2007-06-26 original release + +Copyright (C) 2007 Massachusetts Institute of Technology +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.6 (SunOS) + +iQCVAwUBRoFJ16bDgE/zdoE9AQJKkQP/V95mZTlvUeuc1+Pw6m3vx+0jd2yGdR9Y +NiM1Kfe80u4TjvXIkCLLrIwE2E8+xSjEpGsG0EBqlRpAKOMtXyfzySYF4RdQl8QI +42joEAhYO4sk4xueb9ZC/GW1BCOobkvH+Apq1mXEndfeM/7QHRo/MJRZry8aek8r +Xfd3cRNQogQ= +=JE8k +-----END PGP SIGNATURE----- |