MITKRB-SA-2006-001: multiple local privilege escalationvulnerabilities - Kerberos

This is a discussion on MITKRB-SA-2006-001: multiple local privilege escalationvulnerabilities - Kerberos ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2006-001 Original release: 2006-08-08 Topic: multiple local privilege escalation vulnerabilities Severity: serious SUMMARY ======= In certain application programs packaged in the MIT Kerberos 5 source distribution, calls to setuid() and ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: MITKRB-SA-2006-001: multiple local privilege escalationvulnerabilities

  1. MITKRB-SA-2006-001: multiple local privilege escalationvulnerabilities

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    MIT krb5 Security Advisory 2006-001

    Original release: 2006-08-08

    Topic: multiple local privilege escalation vulnerabilities

    Severity: serious

    SUMMARY
    =======

    In certain application programs packaged in the MIT Kerberos 5 source
    distribution, calls to setuid() and seteuid() are not always checked
    for success. A local user could exploit one of these vulnerabilities
    to result in privilege escalation. No exploit code is known to exist
    at this time. It is believed that the primary risk is to Linux
    systems, due to the behavior of their implementation of the setuid()
    and seteuid() system calls.

    IMPACT
    ======

    Actual impact depends on implementation details within a specific
    operating system. Vulnerabilities result when the OS implementations
    of setuid() or seteuid() can fail due to resource exhaustion when
    changing to an unprivileged user ID. We believe that only unchecked
    calls to setuid(), and not calls to seteuid(), are vulnerable on
    Linux.

    On AIX, Kerberos applications provided by IBM are not vulnerable. If,
    in place of or in addition to IBM-provided Kerberos applications, MIT
    krb5 code is installed on an AIX system, the affected MIT krb5
    applications are vulnerable to the setuid() issues listed in
    CVE-2006-3083. We believe that no other operating systems are
    affected.

    [CVE-2006-3083, VU#580124] The following vulnerabilities may result
    from unchecked calls to setuid(), and are believed to only exist on
    Linux and AIX:

    * Unchecked calls to setuid() in krshd may allow a local privilege
    escalation leading to execution of programs as root.

    * Unchecked calls to setuid() in the v4rcp may allow a local privilege
    escalation leading to reading, writing, or creating files as root.
    v4rcp is the remote end of a krb4-authenticated rcp operation, but
    may be executed directly by an attacker, as it is a setuid program.

    [CVE-2006-3084, VU#401660] The following vulnerabilities may result
    from unchecked calls to seteuid(). These vulnerabilities are not yet
    known to exist on any operating system:

    * Unchecked calls to seteuid() in ftpd may allow a local privilege
    escalation leading to reading, writing, or creating files as root.

    * Unchecked calls to seteuid() in the ksu program may allow a local
    privilege escalation resulting in filling a file with null bytes as
    root and then deleting it (the "kdestroy" operation).

    AFFECTED SOFTWARE
    =================

    * The above-listed programs are vulnerable in all releases of MIT
    krb5, up to and including krb5-1.5. The krb5-1.5.1 and krb5-1.4.4
    releases will contain fixes for these problems.

    FIXES
    =====

    * The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes
    for these vulnerabilities.

    * Disable krshd and ftpd, and remove the setuid bit from the ksu
    binary and the v4rcp binary.

    * For the krb5-1.5 release, apply the patch at

    http://web.mit.edu/kerberos/advisori...-patch_1.5.txt

    A PGP-signed version of this patch is at

    http://web.mit.edu/kerberos/advisori...ch_1.5.txt.asc

    This patch was generated against the krb5-1.5 release, and may apply
    to earlier releases with some fuzz. The patch also updates some
    calls to other setuid-like system calls on less-common operating
    systems, though these calls are less likely to be vulnerable.

    * For the krb5-1.4.3 release, apply the patch at

    http://web.mit.edu/kerberos/advisori...atch_1.4.3.txt

    A PGP-signed version of this patch is at

    http://web.mit.edu/kerberos/advisori...atch_1.4.3.txt

    This patch was generated against the krb5-1.4.3 release, and may apply
    to earlier releases with some fuzz. The patch also updates some
    calls to other setuid-like system calls on less-common operating
    systems, though these calls are less likely to be vulnerable.

    REFERENCES
    ==========

    This announcement and related security advisories may be found on the
    MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

    The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

    CVE: CVE-2006-3083
    http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-3083

    CERT: VU#580124
    http://www.kb.cert.org/vuls/id/580124

    CVE: CVE-2006-3084
    http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-3084

    CERT: VU#401660
    http://www.kb.cert.org/vuls/id/401660

    ACKNOWLEDGMENTS
    ===============

    Thanks to Michael Calmer and Marcus Meissner at SUSE for reporting
    this problem.

    Thanks to Shiva Persaud at IBM for information on AIX.

    DETAILS
    =======

    Typically, setuid(), seteuid(), and similar system calls cannot fail
    except in cases of inadequate privilege or system misconfiguration.
    Unlike other operating systems, Linux and AIX system calls which
    change the real user ID can fail if the change would cause the target
    user ID to exceed its quota of allowed processes. A local attacker
    may be able to exhaust a process quota in a way which artificially
    creates such a failure condition. This may result in privilege
    escalation when a program making an unchecked call to one of these
    system calls expects to continue execution with reduced privilege
    following the affected call, but instead continues to run as a
    privileged user.

    Specific places where various system calls are not checked include:

    appl/bsd/krcp.c: setreuid (uncompiled code), setuid (irrelevant
    because not installed setuid)
    appl/bsd/krshd.c: setuid
    appl/bsd/krsh.c: setuid (irrelevant because not installed setuid)
    appl/bsd/v4rcp.c: setuid
    appl/gssftp/ftpd/ftpd.c: seteuid
    client/ksu/main.c: seteuid
    lib/krb4/kuserok.c: seteuid (but likely irrelevant)

    REVISION HISTORY
    ================

    2006-08-08 original release

    Copyright (C) 2006 Massachusetts Institute of Technology
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (SunOS)

    iQCVAwUBRNjfg6bDgE/zdoE9AQLnKQP8DAikPgsCxRiOVj2QnX66VnBl2Nsm7irs
    NeO/8yiP9QpliPk4h/6p9Q1Wc70H/C4ICWgufVDiIHbnUc4MGS4GVUzZtvQelrC1
    4WTZyxLFfEZQzbNk6FUBw3W0P38IrUX2FQsLTp9R4S3iWFMI5U dkb5XX60zwo9w2
    79rpIw5g8vY=
    =x/vF
    -----END PGP SIGNATURE-----
    _______________________________________________
    kerberos-announce mailing list
    kerberos-announce@mit.edu
    https://mailman.mit.edu/mailman/list...beros-announce
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: MITKRB-SA-2006-001: multiple local privilege escalationvulnerabilities

    Hi Tom,

    I implemented the changes suggested by you for "MIT krb5 Security Advisory
    2006-001" in the ksu utility. I am always observing below message when I
    exit from the ksu shell. I tested it on AIX and Linux. Behavior is same.
    ------------------------------------------
    # ksu tester
    Changing uid to tester (333)
    # exit
    exit
    ksu: Operation not permitted while returning to source uid for destroying
    ccache
    -------------------------------------------

    Code study shows that this is the new message being added for the security
    advisory 2006-001. Further I found out that, from the sweep_up function,
    krb5_seteuid(0) always fails. Ands that why I am getting this message. As a
    side effect it leaves around the cred cache file, exits without destroying
    it.

    --- src/clients/ksu/main.c-----
    if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) {
    com_err(prog_name, errno,
    "while returning to source uid for destroying ccache");
    exit(1);
    }
    ------------------------------------------

    Is this a expected behavior? Could you please provide inputs regarding why
    we are calling krb5_seteuid(0) ? Is it supposed to succeed at any point of
    time ? If not is it good idea to remove this call ?

    Awaiting reply.
    - Sachin.

    On 8/9/06, Tom Yu wrote:
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > MIT krb5 Security Advisory 2006-001
    >
    > Original release: 2006-08-08
    >
    > Topic: multiple local privilege escalation vulnerabilities
    >
    > Severity: serious
    >
    > SUMMARY
    > =======
    >
    > In certain application programs packaged in the MIT Kerberos 5 source
    > distribution, calls to setuid() and seteuid() are not always checked
    > for success. A local user could exploit one of these vulnerabilities
    > to result in privilege escalation. No exploit code is known to exist
    > at this time. It is believed that the primary risk is to Linux
    > systems, due to the behavior of their implementation of the setuid()
    > and seteuid() system calls.
    >
    > IMPACT
    > ======
    >
    > Actual impact depends on implementation details within a specific
    > operating system. Vulnerabilities result when the OS implementations
    > of setuid() or seteuid() can fail due to resource exhaustion when
    > changing to an unprivileged user ID. We believe that only unchecked
    > calls to setuid(), and not calls to seteuid(), are vulnerable on
    > Linux.
    >
    > On AIX, Kerberos applications provided by IBM are not vulnerable. If,
    > in place of or in addition to IBM-provided Kerberos applications, MIT
    > krb5 code is installed on an AIX system, the affected MIT krb5
    > applications are vulnerable to the setuid() issues listed in
    > CVE-2006-3083. We believe that no other operating systems are
    > affected.
    >
    > [CVE-2006-3083, VU#580124] The following vulnerabilities may result
    > from unchecked calls to setuid(), and are believed to only exist on
    > Linux and AIX:
    >
    > * Unchecked calls to setuid() in krshd may allow a local privilege
    > escalation leading to execution of programs as root.
    >
    > * Unchecked calls to setuid() in the v4rcp may allow a local privilege
    > escalation leading to reading, writing, or creating files as root.
    > v4rcp is the remote end of a krb4-authenticated rcp operation, but
    > may be executed directly by an attacker, as it is a setuid program.
    >
    > [CVE-2006-3084, VU#401660] The following vulnerabilities may result
    > from unchecked calls to seteuid(). These vulnerabilities are not yet
    > known to exist on any operating system:
    >
    > * Unchecked calls to seteuid() in ftpd may allow a local privilege
    > escalation leading to reading, writing, or creating files as root.
    >
    > * Unchecked calls to seteuid() in the ksu program may allow a local
    > privilege escalation resulting in filling a file with null bytes as
    > root and then deleting it (the "kdestroy" operation).
    >
    > AFFECTED SOFTWARE
    > =================
    >
    > * The above-listed programs are vulnerable in all releases of MIT
    > krb5, up to and including krb5-1.5. The krb5-1.5.1 and krb5-1.4.4
    > releases will contain fixes for these problems.
    >
    > FIXES
    > =====
    >
    > * The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes
    > for these vulnerabilities.
    >
    > * Disable krshd and ftpd, and remove the setuid bit from the ksu
    > binary and the v4rcp binary.
    >
    > * For the krb5-1.5 release, apply the patch at
    >
    > http://web.mit.edu/kerberos/advisori...-patch_1.5.txt
    >
    > A PGP-signed version of this patch is at
    >
    > http://web.mit.edu/kerberos/advisori...ch_1.5.txt.asc
    >
    > This patch was generated against the krb5-1.5 release, and may apply
    > to earlier releases with some fuzz. The patch also updates some
    > calls to other setuid-like system calls on less-common operating
    > systems, though these calls are less likely to be vulnerable.
    >
    > * For the krb5-1.4.3 release, apply the patch at
    >
    > http://web.mit.edu/kerberos/advisori...atch_1.4.3.txt
    >
    > A PGP-signed version of this patch is at
    >
    > http://web.mit.edu/kerberos/advisori...atch_1.4.3.txt
    >
    > This patch was generated against the krb5-1.4.3 release, and may apply
    > to earlier releases with some fuzz. The patch also updates some
    > calls to other setuid-like system calls on less-common operating
    > systems, though these calls are less likely to be vulnerable.
    >
    > REFERENCES
    > ==========
    >
    > This announcement and related security advisories may be found on the
    > MIT Kerberos security advisory page at:
    >
    > http://web.mit.edu/kerberos/advisories/index.html
    >
    > The main MIT Kerberos web page is at:
    >
    > http://web.mit.edu/kerberos/index.html
    >
    > CVE: CVE-2006-3083
    > http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-3083
    >
    > CERT: VU#580124
    > http://www.kb.cert.org/vuls/id/580124
    >
    > CVE: CVE-2006-3084
    > http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-3084
    >
    > CERT: VU#401660
    > http://www.kb.cert.org/vuls/id/401660
    >
    > ACKNOWLEDGMENTS
    > ===============
    >
    > Thanks to Michael Calmer and Marcus Meissner at SUSE for reporting
    > this problem.
    >
    > Thanks to Shiva Persaud at IBM for information on AIX.
    >
    > DETAILS
    > =======
    >
    > Typically, setuid(), seteuid(), and similar system calls cannot fail
    > except in cases of inadequate privilege or system misconfiguration.
    > Unlike other operating systems, Linux and AIX system calls which
    > change the real user ID can fail if the change would cause the target
    > user ID to exceed its quota of allowed processes. A local attacker
    > may be able to exhaust a process quota in a way which artificially
    > creates such a failure condition. This may result in privilege
    > escalation when a program making an unchecked call to one of these
    > system calls expects to continue execution with reduced privilege
    > following the affected call, but instead continues to run as a
    > privileged user.
    >
    > Specific places where various system calls are not checked include:
    >
    > appl/bsd/krcp.c: setreuid (uncompiled code), setuid (irrelevant
    > because not installed setuid)
    > appl/bsd/krshd.c: setuid
    > appl/bsd/krsh.c: setuid (irrelevant because not installed setuid)
    > appl/bsd/v4rcp.c: setuid
    > appl/gssftp/ftpd/ftpd.c: seteuid
    > client/ksu/main.c: seteuid
    > lib/krb4/kuserok.c: seteuid (but likely irrelevant)
    >
    > REVISION HISTORY
    > ================
    >
    > 2006-08-08 original release
    >
    > Copyright (C) 2006 Massachusetts Institute of Technology
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.3 (SunOS)
    >
    > iQCVAwUBRNjfg6bDgE/zdoE9AQLnKQP8DAikPgsCxRiOVj2QnX66VnBl2Nsm7irs
    > NeO/8yiP9QpliPk4h/6p9Q1Wc70H/C4ICWgufVDiIHbnUc4MGS4GVUzZtvQelrC1
    > 4WTZyxLFfEZQzbNk6FUBw3W0P38IrUX2FQsLTp9R4S3iWFMI5U dkb5XX60zwo9w2
    > 79rpIw5g8vY=
    > =x/vF
    > -----END PGP SIGNATURE-----
    > _______________________________________________
    > kerberos-announce mailing list
    > kerberos-announce@mit.edu
    > https://mailman.mit.edu/mailman/list...beros-announce
    > _______________________________________________
    > krbdev mailing list krbdev@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/krbdev
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: MITKRB-SA-2006-001: multiple local privilege escalationvulnerabilities

    >>>>> "Sachin" == Sachin Punadikar writes:

    Sachin> Hi Tom,
    Sachin> I implemented the changes suggested by you for "MIT krb5 Security Advisory
    Sachin> 2006-001" in the ksu utility. I am always observing below message when I
    Sachin> exit from the ksu shell. I tested it on AIX and Linux. Behavior is same.
    Sachin> ------------------------------------------
    Sachin> # ksu tester
    Sachin> Changing uid to tester (333)
    Sachin> # exit
    Sachin> exit
    Sachin> ksu: Operation not permitted while returning to source uid for destroying
    Sachin> ccache
    Sachin> -------------------------------------------

    Sachin> Code study shows that this is the new message being added for the security
    Sachin> advisory 2006-001. Further I found out that, from the sweep_up function,
    Sachin> krb5_seteuid(0) always fails. Ands that why I am getting this message. As a
    Sachin> side effect it leaves around the cred cache file, exits without destroying
    Sachin> it.

    Sachin> --- src/clients/ksu/main.c-----
    Sachin> if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) {
    Sachin> com_err(prog_name, errno,
    Sachin> "while returning to source uid for destroying ccache");
    Sachin> exit(1);
    Sachin> }
    Sachin> ------------------------------------------

    Sachin> Is this a expected behavior? Could you please provide inputs regarding why
    Sachin> we are calling krb5_seteuid(0) ? Is it supposed to succeed at any point of
    Sachin> time ? If not is it good idea to remove this call ?

    This sounds like a bug in the patch. Try moving the krb5_seteuid(0)
    call to before the if-statement (so its return value gets
    ignored... this is safe for seteuid(0) but not for seteuid(not_zero)).
    I think the krb5_seteuid(0) call is to change back to UID 0 if that is
    required (on some systems) for changing back to the original target
    UID.

    ---Tom
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: MITKRB-SA-2006-001: multiple local privilege escalationvulnerabilities

    >>>>> "Tom" == Tom Yu writes:

    Tom> This sounds like a bug in the patch. Try moving the krb5_seteuid(0)
    Tom> call to before the if-statement (so its return value gets
    Tom> ignored... this is safe for seteuid(0) but not for seteuid(not_zero)).
    Tom> I think the krb5_seteuid(0) call is to change back to UID 0 if that is
    Tom> required (on some systems) for changing back to the original target
    Tom> UID.

    This is now ticket #4137 in our bug database; the fix will appear in
    krb5-1.5.1.

    ---Tom
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: MITKRB-SA-2006-001: multiple local privilege escalationvulnerabilities

    Tom,
    I tried code changes suggested by you, and it works fine. Now it is working
    as it was working before.
    Thanks a lot.

    - Sachin.

    On 8/16/06, Tom Yu wrote:
    >
    > >>>>> "Tom" == Tom Yu writes:

    >
    > Tom> This sounds like a bug in the patch. Try moving the krb5_seteuid(0)
    > Tom> call to before the if-statement (so its return value gets
    > Tom> ignored... this is safe for seteuid(0) but not for
    > seteuid(not_zero)).
    > Tom> I think the krb5_seteuid(0) call is to change back to UID 0 if that
    > is
    > Tom> required (on some systems) for changing back to the original target
    > Tom> UID.
    >
    > This is now ticket #4137 in our bug database; the fix will appear in
    > krb5-1.5.1.
    >
    > ---Tom
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread