Vulnerabilities in Kerberos V Title: Vulnerabilities in Kerberos V Date Issued: April 29, 1997 Last Modified: April 29, 1997 Code: SNI-13 Source: Network Associates (was SNI) Secure Networks Inc. Security Advisory April 29, 1997 Vulnerabilities in Kerberos V This advisory details two serious vulnerabilities in Kerberos V, which allow attackers to obtain root access to kerberos clients and servers. Problem Descriptions: Problem 1 : Kerberos V sites which are running Kerberos IV programs and using the Kerberos IV compatibility libraries, including certain bones derived kerberos IV implementations are vulnerable to a localhost buffer overflow. The problem is exploitable if there are setuid or setgid programs (such as a Kerberized rlogin) which use kerberos IV functions. The problem occurs when certain kerberos programs permit the specification of the kerberos configuration file via an environment variable, and do not perform proper checking on this environment variable. Problem 2 : Systems running the Kerberos V telnet daemon are vulnerable to a buffer overflow in the Kerberized telnet daemon. This buffer overflow can allow remote root access to unauthorized users. Technical Details Problem 1 : This problem stems from a feature in the Kerberos IV compatibility library under Kerberos V. The problem occurs when incorrect bounds checking is applied to reading in configuration files which may be stipulated via an enviroment variable. If a malicous user stipulates a hand crafted config file they can successfully overflow a buffer and sieze root privileges if any setuid programs call the problem functions in the library. The following code in src/lib/krb4/g_krbhst.c illustrates the problem: int INTERFACE krb_get_krbhst(h,r,n) char *h; char *r; int n; { FILE *cnffile, *krb__get_cnffile(); char tr[REALM_SZ]; char linebuf[BUFSIZ]; register int i; cnffile = krb__get_cnffile(); if (!cnffile) return get_krbhst_default(h, r, n) if (fscanf(cnffile,"%s",tr) == EOF) return get_krbhst_default(h, r, n); Where the krb__get_cnffile() function returns a descriptor to the file pointed to by the environment variable KRB_CONF, or a descriptor to the config file in the default location. The same set of problems, with a different environment variable name, exist in the KTH 0.9.3, OpenBSD 2.0, and Cygnus R3 bones derived kerberos IV distributions. Problem 2: The second problem lies in the kerberized telnet daemon which due to improper bounds checking of the TERM variable is vulnerable to a remote buffer overflow. The following function start_login() in sys_term.c illustrates the problem : ... char speed[128]; ... sprintf(speed, "%s/%d", (cp = getenv("TERM")) ? cp : "", (def_rspeed > 0) ? def_rspeed : 9600); ... Impact Problem 1 : Setuid programs using kerberos can allow shell users to gain unauthorized root access to vulnerable systems. Problem 2 : Remote individuals can gain root access to hosts running the Kerberos V telnet daemon. Vulnerable Systems Problem 1 : Sites running setuid or setgid Kerberos IV programs and using the Kerberos IV compatibility libraries in Kerberos V 1.0 are vulnerable to the environment variable config file buffer overflow. In addition, a number of bones derived kerberos IV implementations have had environment variable based config file override feature added. The KTH (version 0.9.3) distribution, the one in OpenBSD 2.0 as well as OpenBSD-current prior to 27 March 1997, and the Cygnus R3 distribution all appear to have this problem. The standard vanilla MIT Kerberos IV code is NOT vulnerable to this problem. Problem 2 : Any system running the Kerberos V 1.0 telnet daemon is vulnerable to the buffer overflow in it. Fix information The problems described in Kerberos V are fixed by updating your Kerberos installation to Kerberos V 1.0 patch level 1. Information about obtaining the update to Kerberos V can be found at http://web.mit.edu/kerberos/www/krb5-1.0/announce.html> OpenBSD users should update to OpenBSD-current via anoncvs, and recompile their kerberos libraries. Cygnus plans to release patches for the Cygnus Kerberos distributions shortly. Additional Information If you have any questions about this advisory, feel free to mail me at davids@secnet.com. Past Secure Networks advisories can be found at ftp://ftp.secnet.com/pub/advisories, and Secure Networks papers can be found at ftp://ftp.secnet.com/pub/papers. This advisory was written by David Sacerdote. Kerberos is a trademark of the Massachusetts Institute of Technology (MIT). Information on obtaining the MIT Kerberos IV and V distributions can be found at ftp://athena-dist.mit.edu/pub/kerberos Many thanks to AusCERT , Mark Eichin , Theodore Y. Ts'o and Thorstern Lockert for the invaluable assistance and feedback they provided during the preparation of this advisory. Feel free to send responses and commments to sni@secnet.com. If you should wish to encrypt such traffic, please use the Secure Networks Inc. key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5 uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM03n 27Tl3s+VYMi5AQHdGwP+N3hhILzzhSvhx1gj6ZElgsLa7Q1P3cTlc/Xqx50/wkcX qIwiPudH+9UHvpL8fUNaHc9iZf3y8YZz0HWz56Vm5SG7uBfB/ksq4x04pQ65dQ1m v51DYCvLG9u0jL4hC3Mz9WvIMANXqOUlAhuU1iy0wM41joE8aHdh2jsLHlB5qlSJ AJUDBRAzTlbK/3eiMPDVSG0BAcTNA/9eF0X4Ei8LM4CXFW7JTB5vwXxerR6FmKI8 0JXt6KTrjGBzTfBrDGUZHNakPELjQPQI+fqg6hKJ7Ro1eSL4QbtX2BTO+wIWoLJG hQmccKleuEK5N9vFgzvPTRknfkbqL1Ta7g3Z9tE8TQhFbj0x4yNFAPB/hOhVvY3s YOkUx4T12A== =ljNl -----END PGP PUBLIC KEY BLOCK----- Copyright Notice The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. Kerberos sources distributed in this advisory fall under some or all of the following license(s): Copyright (C) 1996 by the Massachusetts Institute of Technology. All rights reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. Individual source code files are copyright MIT, Cygnus Support, OpenVision, Oracle, Sun Soft, and others. Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT. "Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given). The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc: Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.