MIT krb5 Security Advisory 2005-003

Original release: 2005-07-12

Topic: double-free in krb5_recvauth

Severity: CRITICAL

SUMMARY
=======

The krb5_recvauth() function can free previously freed memory under
some error conditions. This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm. No exploit code is known to exist at this time. Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689, VU#623332]

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth(). This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm. Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.

AFFECTED SOFTWARE
=================

* The kpropd daemon in all releases of MIT krb5, up to and including
krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also
vulnerable.

FIXES
=====

* The upcoming krb5-1.4.2 release will have a fix for this
vulnerability.

* Apply the following patch. This patch was generated against the
krb5-1.4.1 release. It may apply, with some offset, to earlier
releases.

The patch may also be found at:

http://web.mit.edu/kerberos/advisori...atch_1.4.1.txt

The associated detached PGP signature is at:

http://web.mit.edu/kerberos/advisori..._1.4.1.txt.asc

Index: lib/krb5/krb/recvauth.c
================================================== =================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c 3 Sep 2002 01:13:47 -0000 5.38
--- lib/krb5/krb/recvauth.c 23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
if ((retval = krb5_read_message(context, fd, &inbuf)))
return(retval);
if (strcmp(inbuf.data, sendauth_version)) {
- krb5_xfree(inbuf.data);
problem = KRB5_SENDAUTH_BADAUTHVERS;
}
krb5_xfree(inbuf.data);
--- 76,81 ----
***************
*** 90,96 ****
if ((retval = krb5_read_message(context, fd, &inbuf)))
return(retval);
if (appl_version && strcmp(inbuf.data, appl_version)) {
- krb5_xfree(inbuf.data);
if (!problem)
problem = KRB5_SENDAUTH_BADAPPLVERS;
}
--- 89,94 ----

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVE: CAN-2005-1689
http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1689

CERT: VU#623332
http://www.kb.cert.org/vuls/id/623332

ACKNOWLEDGMENTS
===============

Thanks to Magnus Hagander for reporting this vulnerability.

DETAILS
=======

The helper function revcauth_common() in lib/krb5/krb/recvauth.c has
two locations which call krb5_read_message(), followed by an
unconditional krb5_xfree() of the buffer allocated by
krb5_read_message(). In the cases where the sendauth version string
or the application version string do not match the expected value,
recvauth_common() performs a krb5_xfree() on the buffer allocated by
krb5_read_message() preceding the subsequent unconditional call to
krb5_xfree() on the same buffer.

Since the code paths which call krb5_xfree() twice do so with almost
no intervening code, exploitation of this vulnerability may be more
difficult than exploitation of other double-free vulnerabilities. No
detailed analysis has been performed on the ease of exploitation.

REVISION HISTORY
================

2005-05-12 original release

Copyright (C) 2005 Massachusetts Institute of Technology
_______________________________________________
kerberos-announce mailing list
kerberos-announce@mit.edu
https://mailman.mit.edu/mailman/list...beros-announce
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos