MITKRB5-SA-2007-001: telnetd allows login as arbitrary user[CVE-2007-0956] - Kerberos

This is a discussion on MITKRB5-SA-2007-001: telnetd allows login as arbitrary user[CVE-2007-0956] - Kerberos ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2007-001 Original release: 2007-04-03 Last update: 2007-04-03 Topic: telnetd allows login as arbitrary user Severity: CRITICAL CVE: CVE-2007-0956 CERT: VU#220816 SUMMARY ======= The MIT krb5 telnet daemon (telnetd) allows unauthorized ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: MITKRB5-SA-2007-001: telnetd allows login as arbitrary user[CVE-2007-0956]

  1. MITKRB5-SA-2007-001: telnetd allows login as arbitrary user[CVE-2007-0956]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    MIT krb5 Security Advisory 2007-001

    Original release: 2007-04-03
    Last update: 2007-04-03

    Topic: telnetd allows login as arbitrary user

    Severity: CRITICAL

    CVE: CVE-2007-0956
    CERT: VU#220816

    SUMMARY
    =======

    The MIT krb5 telnet daemon (telnetd) allows unauthorized login as an
    arbitrary user, when presented with a specially crafted username.
    Exploitation of this vulnerability is trivial.

    This is a vulnerability in an application program; it is not a bug in
    the MIT krb5 libraries or in the Kerberos protocol.

    IMPACT
    ======

    A user can gain unauthorized access to any account (including root) on
    a host running telnetd. Whether the attacker needs to authenticate
    depends on the configuration of telnetd on that host.

    AFFECTED SOFTWARE
    =================

    * telnetd in all releases of MIT krb5, up to and including krb5-1.6

    FIXES
    =====

    * The upcoming krb5-1.6.1 release will contain a fix for this
    vulnerability.

    Prior to that release you may:

    * disable telnetd

    or

    * apply the patch

    This patch is also available at

    http://web.mit.edu/kerberos/advisori...-001-patch.txt

    A PGP-signed patch is available at

    http://web.mit.edu/kerberos/advisori...-patch.txt.asc

    *** src/appl/telnet/telnetd/state.c (revision 19480)
    - --- src/appl/telnet/telnetd/state.c (local)
    ***************
    *** 1665,1671 ****
    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
    strcmp(varp, "NLSPATH") && /* locale stuff */
    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
    ! strcmp(varp, "IFS")) {
    return 1;
    } else {
    syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
    - --- 1665,1672 ----
    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
    strcmp(varp, "NLSPATH") && /* locale stuff */
    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
    ! strcmp(varp, "IFS") &&
    ! !strchr(varp, '-')) {
    return 1;
    } else {
    syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
    *** src/appl/telnet/telnetd/sys_term.c (revision 19480)
    - --- src/appl/telnet/telnetd/sys_term.c (local)
    ***************
    *** 1287,1292 ****
    - --- 1287,1302 ----
    #endif
    #if defined (AUTHENTICATION)
    if (auth_level >= 0 && autologin == AUTH_VALID) {
    + if (name[0] == '-') {
    + /* Authenticated and authorized to log in to an
    + account starting with '-'? Even if that
    + unlikely case comes to pass, the current login
    + program will not parse the resulting command
    + line properly. */
    + syslog(LOG_ERR, "user name cannot start with '-'");
    + fatal(net, "user name cannot start with '-'");
    + exit(1);
    + }
    # if !defined(NO_LOGIN_F)
    #if defined(LOGIN_CAP_F)
    argv = addarg(argv, "-F");
    ***************
    *** 1377,1387 ****
    } else
    #endif
    if (getenv("USER")) {
    ! argv = addarg(argv, getenv("USER"));
    #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
    {
    register char **cpp;
    for (cpp = environ; *cpp; cpp++)
    argv = addarg(argv, *cpp);
    }
    #endif
    - --- 1387,1405 ----
    } else
    #endif
    if (getenv("USER")) {
    ! char *user = getenv("USER");
    ! if (user[0] == '-') {
    ! /* "telnet -l-x ..." */
    ! syslog(LOG_ERR, "user name cannot start with '-'");
    ! fatal(net, "user name cannot start with '-'");
    ! exit(1);
    ! }
    ! argv = addarg(argv, user);
    #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
    {
    register char **cpp;
    for (cpp = environ; *cpp; cpp++)
    + if ((*cpp)[0] != '-')
    argv = addarg(argv, *cpp);
    }
    #endif

    REFERENCES
    ==========

    This announcement is posted at:

    http://web.mit.edu/kerberos/advisori...01-telnetd.txt

    This announcement and related security advisories may be found on the
    MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

    The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

    CVE: CVE-2007-0956
    http://cve.mitre.org/cgi-bin/cvename...=CVE-2007-0956

    CERT: VU#220816
    http://www.kb.cert.org/vuls/id/220816

    ACKNOWLEDGMENTS
    ===============

    This vulnerability was found when attempting to confirm the absence of
    a related vulnerability in the Solaris telnetd. [CVE-2007-0882]

    DETAILS
    =======

    The MIT krb5 telnet daemon fails to adequately check the provided
    username. A malformed username beginning with "-e" can be interpreted
    as a command-line flag by the login.krb5 program, which is executed by
    telnetd. This causes login.krb5 to execute part of the BSD rlogin
    protocol, where an arbitrary username may be injected, allowing login
    as that user without a password or any further authentication.

    If the telnet daemon is configured to only permit authenticated login,
    then only authenticated users can exploit this vulnerability.

    REVISION HISTORY
    ================

    2007-04-03 original release

    Copyright (C) 2007 Massachusetts Institute of Technology
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (SunOS)

    iQCVAwUBRhKVRabDgE/zdoE9AQIzPAQAj8a7ShfHXVVMOPQhEyoN/Ydnalnfa2xE
    cl7UXFSjmkexalD+rymL0upLFw7EVgnYrVazc+AUhDLt1AZmCl 5Lj2+WAcl1QYPu
    fEGm2SFaS4Eda6NRb6xZ4BeY8zfRWFN2G8Bb5krpGj+oEX/c3Xg8O4oUyiJBYBQi
    TXhryamn6Yw=
    =aE5C
    -----END PGP SIGNATURE-----
    _______________________________________________
    kerberos-announce mailing list
    kerberos-announce@mit.edu
    https://mailman.mit.edu/mailman/list...beros-announce
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: MITKRB5-SA-2007-001: telnetd allows login as arbitrary user[CVE-2007-0956]

    Is a new version of the 1.5.x branch planned with fixes to the three holes planned?
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFGEuNuHn2eIhmhvSIRAg83AJwM/WlAVoRFB7RBSotoC63mAq3hwgCgjkC0
    OXB54f8Kyfo4N3FaKVEWyAY=
    =40cq
    -----END PGP SIGNATURE-----


+ Reply to Thread