The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


FreeBSD Security Advisory FreeBSD-SA-01:25.kerberosIV


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 14 Feb 2001 09:26:39 -0800
From: FreeBSD Security Advisories <security-advisories@FreeBSD.org.>
To: [email protected]
Subject: FreeBSD Security Advisory FreeBSD-SA-01:25.kerberosIV

-----BEGIN PGP SIGNED MESSAGE-----


FreeBSD-SA-01:25 Security Advisory FreeBSD, Inc. Topic: Local and remote vulnerabilities in Kerberos IV Category: core Module: libkrb, telnetd Announced: 2001-02-14 Credits: Jouko PynnЖnen <jouko@solutions.fi.> Affects: FreeBSD 4.2-STABLE and 3.5-STABLE prior to the correction dates. Corrected: 2000-12-13 (FreeBSD 4.2-STABLE) 2000-12-15 (FreeBSD 3.5-STABLE) FreeBSD only: NO I. Background telnetd is the server for the telnet remote login protocol, which is available with optional support for the Kerberos authentication protocol. libkrb is the library used for Kerberised applications (including telnetd and login). FreeBSD includes the KTH Kerberos implementation, which is externally maintained, contributed software, as an optional part of the base system. II. Problem Description The advisory describes three vulnerabilities: first, an overflow in the libkrb KerberosIV authentication library, second, improper filtering of environmental variables by the KerberosIV-adapted telnet daemon, and finally, a temporary file vulnerability in the KerberosIV ticket management code. A buffer overflow exists in the libkrb Kerberos authentication library, which may be exploitable by malicious remote authentication servers. This vulnerability exists in the kdc_reply_cipher() call. An attacker may be able to overflow this buffer during an authentication exchange, allowing the attacker to execute arbitrary code with the privileges of the caller of kdc_reply_cipher(). The telnet protocol allows for UNIX environmental variables to be passed from the client to the user login session on the server. The base system telnet daemon, telnetd, goes the great lengths to limit the variables passed so as to prevent them from improperly influencing the login and authentication mechanisms. The telnet daemon used with KerberosIV relied on an incomplete list of improper environment variables to remove from the environment before executing the login program. This is a similar vulnerability to that described in Security Advisory 00:69. Two environment variables have been identified that place users of Kerberos at risk. The first allows the remote user to change the Kerberos server used for authentication requests, increasing the opportunity for an attacker to exploit the buffer overflow. The second allows the configuration directory for Kerberos to be modified, allowing an attacker with the right to modify the local file system to cause Kerberos to autheticate using an improper configuration (including Kerberos realm and server configuration, as well as srvtab). These vulnerabilities may be used to leverage root access. A race condition exists in the handling of ticket files in /tmp; this vulnerability may be exploited by a local user to gain ownership of arbitrary files in the file system. This vulnerability can be leveraged to gain root access. These vulnerabilities only exist on systems which have installed the optional Kerberos IV distribution (whether or not it is configured), which is not installed by default. III. Impact If your system has the KerberosIV distribution installed, remote and local users may be able to obtain root privileges on the local system. IV. Workaround To prevent remote root compromise via the telnet service, disable the telnet service, which is usually run out of inetd: comment out the following lines in /etc/inetd.conf, if present. telnet stream tcp nowait root /usr/libexec/telnetd telnetd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd The local root compromise cannot be easily worked around. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.2-STABLE or 3.5-STABLE after the respective correction dates. 2) Apply the relevant patch from below and recompile the affected files: Download the relevant patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.2] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4.2.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4.2.patch.asc [FreeBSD 3.5.1] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3.5.1.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3.5.1.patch.asc NOTE: This patch assumes you have already applied the patch in security advisory SA-00:69. Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/kerberosIV # make depend && make all install # cd /usr/src/libexec/telnetd # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOopfGFUuHi5z0oilAQGIZwP+OTdYs+CQQ0oZegWsQRNkf6CJCCCu/ban XWs5wIwEFESq8rCdtg4c6y2RKdF+oySU05nXRYG3gl2Il+71zjhTUnsXi2mM5WHi on6m8GOB9EGurb2xszuqNBREa61wGoYZTptzm/NKW7meaDVDlCwe1Mq+orz7ai3m WrEZuR94UFU= =TyCm -----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру