Original release date: May 17, 2000<BR>
Last revised: Sep 14, 2001<BR>
Source: The MIT Kerberos Team, CERT/CC<BR>
<P>A complete revision history is at the end of this file.
<A NAME="affected">
<H3>Systems Affected</H3>
<UL>
<LI>Systems running services authenticated via Kerberos 4</LI>
<LI>Some systems running services authenticated via Kerberos 5</LI>
<LI>Systems running the Kerberized remote shell daemon (krshd)</LI>
<LI>Systems with the Kerberos 5 ksu utility installed</LI>
<LI>Systems with the Kerberos 5 v4rcp utility installed</LI>
</UL>
<A NAME="overview">
<H2>Overview</H2>
<P>The CERT Coordination Center has recently been notified of several
buffer overflow vulnerabilities in the Kerberos authentication
software. The most severe vulnerability allows remote intruders to
gain root privileges on systems running services using Kerberos
authentication. If vulnerable services are enabled on the Key
Distribution Center (KDC) system, the entire Kerberos domain may be
compromised.
<A NAME="description">
<H2>I. Description</H2>
<P>There are at least four distinct vulnerabilities in various
versions and implementations of the Kerberos software. All of these
vulnerabilities may be exploited to obtain root privileges.
<A NAME="krb_rd_req">
<H4>Buffer overflow in krb_rd_req() library function</H4>
<P>This vulnerability is present in version 4 of Kerberos. It is also
present in version 5 (in the version 4 compatibility code). This
vulnerability can be exploited in services using version 4 or 5 when they
perform version 4 authentication. This vulnerability may also be
exploited locally via the v4rcp setuid root program of Kerberos 5.
<P>This vulnerability may be exploitable in version 4. This
vulnerability is exploitable in version 5 in conjunction with the
krb425_conv_principal() vulnerability, described below.
<A NAME="krb425_conv_principal">
<H4>Buffer overflow in krb425_conv_principal() library function</H4>
<P>This vulnerability is present in version 5's backward compatibility
code. This vulnerability is known to be exploitable in version 5 in
conjunction with an exploit of the krb_rd_req() vulnerability.
<A NAME="krshd">
<H4>Buffer overflow in krshd</H4>
<P>This vulnerability is only present in version 5. This
vulnerability is not related to the previous two vulnerabilities.
<A NAME="ksu">
<H4>Buffer overflow in ksu</H4>
<P>This vulnerability is only present in version 5, and is corrected
in krb5-1.1.1 and krb5-1.0.7-beta1. The ksu vulnerability is
unrelated to the other vulnerabilities.
<H3>The MIT Kerberos Team Advisory</H3>
<P>The MIT Kerberos Team described these vulnerabilities in detail in
an advisory they recently issued. The text of this advisory is
included below.
<P>
<TABLE>
<TR>
<TD BGCOLOR="#000000" WIDTH=1>|</TD>
<TD BGCOLOR="#DFDFDF" WIDTH=100%>
<FONT FACE="Verdana" COLOR="#004A6B"><SMALL>
<H4>SUMMARY</H4>
<P>Serious buffer overrun vulnerabilities exist in many
implementations of Kerberos 4, including implementations included for
backwards compatibility in Kerberos 5 implementations. Other less
serious buffer overrun vulnerabilities have also been discovered. ALL
KNOWN KERBEROS 4 IMPLEMENTATIONS derived from MIT sources are believed
to be vulnerable.
<H4>IMPACT</H4>
<UL>
<LI>A remote user may gain unauthorized root access to a machine
running services authenticated with Kerberos 4.
<LI>A remote user may gain unauthorized root access to a machine
running krshd, regardless of whether the program is configured to
accept Kerberos 4 authentication.
<LI>A local user may gain unauthorized root access by exploiting v4rcp
or ksu.
</UL>
<H4>DETAILS</H4>
<P>The MIT Kerberos Team has been made aware of a security
vulnerability in the Kerberos 4 compatibility code contained within
the MIT Kerberos 5 source distributions. This vulnerability consists
of a buffer overrun in the krb_rd_req() function, which is used by
essentially all Kerberos-authenticated services that use Kerberos 4
for authentication. It is possible for an attacker to gain root
access over the network by exploiting this vulnerability.
<P>An exploit is known to exist for the Kerberized Berkeley remote
shell daemon (krshd) for at least the i386-Linux platform, and
possibly others. The extent of distribution of this exploit is
unknown at this time.
<P>Other buffer overruns have been discovered as well, though with
less far-reaching impact.
<P>The existing exploit does not directly use the buffer overrun in
krb_rd_req(); rather, it uses the buffer that was overrun by
krb_rd_req() to exploit a second overrun in krb425_conv_principal().
The krb_rd_req() code itself might not be exploitable once the overrun
in krb425_conv_principal() is repaired, though it is likely that some
other method of exploit may be found that does not require that an
overrun exist in krb425_conv_principal().
<H4>VULNERABLE DISTRIBUTIONS AND PROGRAMS</H4>
<P>Source distributions which may contain vulnerable code include:
<UL>
<LI>MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
<LI>MIT Kerberos 4 patch 10, and likely earlier releases as well
<LI>KerbNet (Cygnus implementation of Kerberos 5)
<LI>Cygnus Network Security (CNS -- Cygnus implementation of Kerberos 4)
</UL>
<P>Daemons or services that may call krb_rd_req() and are thus
vulnerable to remote exploit include:
<DL><DD>
krshd<BR>
klogind (if accepting Kerberos 4 authentication)<BR>
telnetd (if accepting Kerberos 4 authentication)<BR>
ftpd (if accepting Kerberos 4 authentication)<BR>
rkinitd<BR>
kpopd<BR>
</DL>
<P>In addition, it is possible that the v4rcp program, which is
usually installed setuid to root, may be exploited by a local user to
gain root access by means of exploiting the krb_rd_req vulnerability.
<P>The ksu program in some MIT Kerberos 5 releases has a vulnerability
that may result in unauthorized local root access. This bug was fixed
in krb5-1.1.1, as well as in krb5-1.0.7-beta1. Release krb5-1.1, as
well as krb5-1.0.6 and earlier, are believed to be vulnerable.
<P>There is an unrelated buffer overrun in the krshd that is
distributed with at least the MIT Kerberos 5 source distributions. It
is not known whether an exploit exists for this buffer overrun. It is
also not known whether this buffer overrun is actually exploitable.
<H4>WORKAROUNDS</H4>
<P>Certain daemons that are called from inetd may be safe from
exploitation if their command line invocation is modified to exclude
the use of Kerberos 4 for authentication. Please consult the manpages
or other documentation for your Kerberos distribution in order to
determine the correct command line for disabling Kerberos 4
authentication. Daemons for which this approach may work include:
<DL><DD>
krshd (*)<BR>
klogind<BR>
telnetd<BR>
</DL>
<P>(*) The krshd program may still be vulnerable to remote attack if
Kerberos 4 authentication is disabled, due to the unrelated buffer
overrun mentioned above. It is best to disable the krshd program
completely until a patched version can be installed.
<P>The v4rcp program should have its setuid permission removed, since
it may be possible to perform a local exploit against it.
<P>The krb5 ksu program should have its setuid permission removed, if
it was not compiled from krb5-1.1.1, krb5-1.0.7-beta1, or later code.
Merely replacing the ksu binary with one compiled from krb5-1.1.1 or
krb5-1.0.7-beta1 should be safe, provided that it is not compiled with
shared libraries (the vulnerability is related to some library bugs).
If ksu was compiled with shared libraries, it may be best to install a
new release that has the library bug fixed.
<P>In the MIT Kerberos 5 releases, it may not be possible to disable
Kerberos 4 authentication in the ftpd program. Note that only
releases krb5-1.1 and later will have the ability to receive Kerberos
4 authentication.
<H4>FIXES</H4>
<P>The best course of action is to patch the code in the krb4 library,
in addition to patching the code in the krshd program. The following
patches include some less essential patches that also affect buffer
overruns in potentially vulnerable code, but for which exploits are
somewhat more difficult to construct.
<P>Please note that there are two sets of patches in this file that
apply against identically named files in two different releases. You
should separate out the patch set that is relevant to you prior to
applying them; otherwise, you may inadvertently patch some files
twice.
<P>MIT will soon release krb5-1.2, which will have these changes
incorporated.
<H4>PATCHES AGAINST krb5-1.0.x</H4>
<P>The following are patches against 1.0.7-beta1 (roughly). The most
critical ones are:
<DL><DD>
appl/bsd/krshd.c<BR>
lib/krb4/rd_req.c<BR>
lib/krb5/krb/conv_princ.c<BR>
</DL>
<P>The rest are not as important but you may wish to apply them anyway
out of paranoia. These patches may apply with a little bit of fuzz
against releases prior to krb5-1.0.7-beta1, but there likely have not
been significant changes in the affected code. These patches may also
apply against KerbNet. The lib/krb4/rd_req.c patch may also apply
against CNS and MIT Kerberos 4.
</TR>
<TR>
<TD BGCOLOR="#FFFFFF" WIDTH=1></TD>
<TD BGCOLOR="#FFFFFF" WIDTH=100%>
<FONT FACE="Verdana" COLOR="#004A6B"><SMALL>
<P>[Patches to correct this issue in Kerberos version 5-1.0.x were
included at this point in the MIT advisory. The CERT Coordination
Center has made these patches available at the following link:
<DL><DD>
<A HREF="CA-2000-06/mit_10x_patch.txt">
http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt</A>
</DL>
<P> -- CERT/CC]
</TR>
<TR>
<TD BGCOLOR="#000000" WIDTH=1>|</TD>
<TD BGCOLOR="#DFDFDF" WIDTH=100%>
<FONT FACE="Verdana" COLOR="#004A6B"><SMALL>
<H4>PATCHES AGAINST krb5-1.1.1</H4>
<P>The following are patches against 1.1.1. The most critical ones are:
<DL><DD>
appl/bsd/krshd.c<BR>
lib/krb4/rd_req.c<BR>
lib/krb5/krb/conv_princ.c<BR>
</DL>
<P>IMPORTANT NOTE: If you are upgrading to krb5-1.1.1 (or krb5-1.1,
but we recommend krb5-1.1.1 if you are going to upgrade at all) and
compile the source tree with the --without-krb4 option, then you will
also want to install the patch to login.c that is also provided below.
<P>The rest are not as important but you may wish to apply them anyway
out of paranoia.
</TR>
<TR>
<TD BGCOLOR="#FFFFFF" WIDTH=1></TD>
<TD BGCOLOR="#FFFFFF" WIDTH=100%>
<FONT FACE="Verdana" COLOR="#004A6B"><SMALL>
<P>[Patches to correct this issue in Kerberos version 5-1.1.1 were
included at this point in the MIT advisory. The CERT Coordination
Center has made these patches available at the following link:
<DL><DD>
<A HREF="CA-2000-06/mit_111_patch.txt">
http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt</A>
</DL>
<P> -- CERT/CC]
</TR>
<TR>
<TD BGCOLOR="#000000" WIDTH=1>|</TD>
<TD BGCOLOR="#DFDFDF" WIDTH=100%>
<FONT FACE="Verdana" COLOR="#004A6B"><SMALL>
<H4>ACKNOWLEDGMENTS</H4>
<P>Thanks to Jim Paris <jim@jtan.com> (MIT class of 2003) for pointing
out the krb_rd_req() vulnerability.
<P>Thanks to Nalin Dahyabhai of Redhat for pointing out some other
buffer overruns and coming up with patches.
</TD>
</TR>
</TABLE>
<P>The full text of the MIT Kerberos Team advisory is also available
from:
<DL><DD>
<A HREF="http://web.mit.edu/kerberos/www/advisories/krb4buf.txt">
http://web.mit.edu/kerberos/www/advisories/krb4buf.txt</A>
</DL>
<A NAME="impact">
<H2>II. Impact</H2>
<P>The most significant impact of these vulnerabilities may allow a
remote intruder to gain root access to systems running vulnerable
services, including the KDC for the domain.
<H4>Buffer overflow in krb_rd_req() library function</H4>
<P>This vulnerability may be exploited by remote users to gain root
privileges on systems running services linked against the vulnerable
library. As MIT indicated, these services include (but may not be
limited to):
<DL><DD>
krshd<BR>
klogind (if accepting Kerberos 4 authentication)<BR>
telnetd (if accepting Kerberos 4 authentication)<BR>
ftpd (if accepting Kerberos 4 authentication)<BR>
rkinitd<BR>
kpopd<BR>
</DL>
<P>Local users can execute arbitrary code as root on systems where
v4rcp is installed setuid root.
<H4>Buffer overflow in krb425_conv_principal() library function</H4>
<P>This vulnerability can be exploited by remote users in conjunction
with the krb_rd_req vulnerability to gain root privileges on systems
running services linked against the vulnerable library.
<H4>Buffer overflow in krshd</H4>
<P>Remote users may be able to execute arbitrary code as root on
systems running a vulnerable version of krshd.
<H4>Buffer overflow in ksu</H4>
<P>Local users can can gain root privileges by exploiting the buffer
overflow in ksu.
<A NAME="solution">
<H2>III. Solution</H2>
<H4>Apply a patch from your vendor</H4>
<P>Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more information.
If you do not see your vendor's name, the CERT/CC did not hear from
that vendor. Please contact your vendor directly.</P>
<H4>Apply the MIT patches</H4>
<P>If you are running the Kerberos 5 distribution from MIT, and can
rebuild your binaries from source, you can apply the source code
patches from MIT to correct these problems.
<P>If you are running Kerberos version 4, you may be able to patch
your source code based on the version 5 patch provided by MIT. Only
the patches for the krb_rd_req() vulnerability need to be applied to
version 4 to address the issues described in this advisory.
<P>With either version, you will need to recompile the libraries and
the vulnerable programs (krshd and ksu). You will also need to
recompile any programs that have been statically linked with the
vulnerable libraries. In version 4, you should also recompile the KDC
server software.
<P>These patches are available at:
<DL>
<DD><A HREF="CA-2000-06/mit_10x_patch.txt">
http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt</A>
<DD><A HREF="CA-2000-06/mit_10x_patch.txt">
http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt</A>
</DL>
<H4>Disable version 4 authentication in version 5 if possible</H4>
<P>As suggested by MIT, version 4 authentication in some daemons can
be disabled at run time by supplying command line options to these
programs when started by inetd. This approach may work for the
following daemons:
<DL><DD>
krshd<BR>
klogind<BR>
telnetd<BR>
</DL>
<P>This addresses the krb_rd_req() and krb425_conv_principal()
vulnerabilities. Note that krshd may still be vulnerable to the krshd
specific vulnerability described in this document.
<H4>Upgrade to MIT Kerberos 5 version 1.2</H4>
<P>The vulnerabilities described in this advisory will be addressed in
Kerberos 5 version 1.2. This version will be available from the MIT Kerberos
web site:
<DL><DD>
<A HREF="http://web.mit.edu/kerberos/www/">
http://web.mit.edu/kerberos/www/</A>
</DL>
<P>
<A NAME="vendors">
<H2>Appendix A. Vendor Information</H2>
<A NAME="freebsd">
<H4>FreeBSD, Inc.</H4>
<P>FreeBSD is not vulnerable by default, even for users who choose to
install the Kerberos distributions (FreeBSD uses KTH Kerberos, not
MIT). There is a port of MIT Kerberos 5 in the FreeBSD Ports
Collection which was vulnerable to this problem and has been corrected
as of 2000/05/17. A FreeBSD Security Advisory will be forthcoming.
<A NAME="ibm">
<H4>IBM Corporation</H4>
<P>The following APAR's are available for this vulnerability:
<ul>
<li>AIX 4.3.x:
<BR>
<ul>
<li>IY10787
<li>IY11450
<li>IY10505
</ul>
<BR>
<li>RS/6000 SP:
<BR>
<ul>
<li>PSSP 2.2: IY10657
<li>PSSP 2.3: IY10523
<li>PSSP 2.4: IY10658
<li>PSSP 3.1.1: IY10630
</ul>
</ul>
<P>IBM AFS does not use the functions mentioned in this advisory and
therefore is not vulnerable.
<A NAME="microsoft">
<H4>Microsoft Corporation</H4>
<P>No Microsoft products are affected by this vulnerability.
<A NAME="mit">
<H4>MIT Kerberos</H4>
<P>The MIT Kerberos Team advisory on this topic is available from:
<DL><DD>
<A HREF="http://web.mit.edu/kerberos/www/advisories/krb4buf.txt">
http://web.mit.edu/kerberos/www/advisories/krb4buf.txt</A>
</DL>
<A NAME="netbsd">
<H4>NetBSD</H4>
<P>NetBSD has two codebases for crypto software, a legacy of the US's
export laws until recently (and also some patent issues).
<P>The crypto-intl tree intended for use by those outside the US was
not affected.
<P>For the crypto-us tree,
<UL>
<LI>krb5 was not affected
<LI>krb4 was affected, and has been fixed in NetBSD-current since
Jeff's announcement; this fix is making it's way into the 1.4.x
release branch. We will release an advisory and patches shortly.
</UL>
<P>In summary, users of NetBSD releases 1.4.2 and earlier or -current
up until yesterday, who have installed the crypto-us "secr" set and
who have enabled kerberos4, are vulnerable.
<A NAME="openbsd">
<H4>OpenBSD</H4>
<P>OpenBSD uses the KTH Kerberos distribution, which has been reported
to be not vulnerable.
<A NAME="washington">
<H4>Washington University</H4>
<P>We do not distribute any "default" binaries which uses Kerberos.
In order to get Kerberos support, you must rebuild the software
specifically to use Kerberos (the default build will not use
Kerberos).
<P>We believe that the University of Washington IMAP and POP3 servers
are not vulnerable. The message from MIT specifically stated that the
problem was in the Kerberos 4 routines from MIT.
<P>Kerberos support in these servers is based upon Kerberos 5, not
Kerberos 4. UW imapd/ipop3d only uses GSSAPI and Kerberos 5 calls;
Kerberos 4 routines are never called.
<P>There is an unsupported, contributed code, module for Kerberos 4
available in our software, but that is client only. We are not aware
of the existence of any Kerberos 4 server code for UW imapd/ipop3d.
<HR NOSHADE>
<P>The CERT Coordination Center thanks Jeff Schiller and the MIT
Kerberos Team for notifying us about this problem and their help in
developing this advisory.</P>
<HR NOSHADE>
<P>Cory Cohen and Jeff Havrilla were the primary authors of the
CERT/CC portions of this document.
<P></P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2000, 2001 Carnegie Mellon University, portions Copyright 2000 MIT
University.</P>
<P>Revision History
<PRE>
May 17, 2000: Initial release
May 18, 2000: FreeBSD response added
June 27, 2000: IBM response added
September 14, 2001: IBM response addendum
</PRE>
|