__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Kerberos Buffer Overflow Vulnerability [MIT krb5 Security Advisory 2004-001] June 9, 2004 19:00 GMT Number O-155 [REVISED 14 Jun 2004] [REVISED 18 Jun 2004] [REVISED 23 Jun 2004] [REVISED 22 Sep 2004] [REVISED 05 Oct 2004] [REVISED 03 Nov 2004] ______________________________________________________________________________ PROBLEM: The krb5_aname_to_localname() library function, a function that translates Kerberos principal names to local UNIX account names, contains vulnerabilities. PLATFORM: All releases of MIT Kerberos 5, up to and including krb5-1.3.3 Red Hat Desktop (v.3) Red Hat Enterprise Linux AS, ES, WS (v.2.1 and v.3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SPARC & x86 Platform Solaris 8 Solaris 9 SEAM 1.0 (for Solaris 7) SEAM 1.0.1 (for Solaris 8) SEAM 1.0.2 (for Solaris 9) Debian GNU/Linux 3.0 (woody) SGI ProPack v2.4 - Altix systems SGI ProPack v3 - Altix systems DAMAGE: The krb5_aname_to_localname() library function contains multiple buffer overflows which could be exploited to gain unauthorized root access. Exploitation of these flaws requires an unusual combination of factors, including successful authentication to a vulnerable service and a non-default configuration on the target service. SOLUTION: Apply security updates. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A remote attacker can potentially execute ASSESSMENT: arbitrary code on hosts running vulnerable services. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-155.shtml ORIGINAL BULLETIN: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004- 001-an_to_ln.txt ADDITIONAL LINKS: - Red Hat RHSA-2004:236 http://rhn.redhat.com/errata/RHSA-2004-236.html - US-CERT Vulnerability Note #686862 http://www.kb.cert.org/vuls/id/686862 - Sun Alert ID: 57580 http://sunsolve.sun.com/search/document.do?assetkey= 1-26-57580-1 - Debian DSA-520 http://www.debian.org/security/2004/dsa-520 - SGI #20040602-01-U for ProPack v2.4 - Patch #10084 ftp://patches.sgi.com/support/free/security/advisories 20040605-01-U.asc - SGI #20040603-01-U for SGI ProPack 3 - Patch #10083 ftp://patches.sgi.com/support/free/security/advisories/ 20040604-01-U.asc CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0523 ______________________________________________________________________________ REVISION HISTORY: 06/14/2004 - added a link to Sun Alert ID: 57580 for Solaris 8, 9, SEAM 1.0, 1.0.1, 1.0.2. 06/18/2004 - added a link to Debian DSA-520-1 krb5 for Debian GNU/Linux 3.0 (woody). 06/23/2004 - added links for the two new releases of SGI Security Advisories/Patches and updated the PLATFORM section. 09/22/2004 - Sun Microsystems released new patches for Solaris 9 and SEAM 1.0 for Solaris 7. They also released T-Patches for Solaris 8. See Sun's Alert ID: 57580. 10/05/2004 - Sun Microsystems released final patches addressing this vulnerability. See Sun's Alert ID: 57580. 11/03/2004 - Sent DOE notification that a Sun patch for Solaris 8 is now available. [***** Start MIT krb5 Security Advisory 2004-001 *****] MIT krb5 Security Advisory 2004-001 Original release: 2004-06-01 Last update: 2004-06-02 Topic: buffer overflows in krb5_aname_to_localname Severity: serious SUMMARY ======= [ patch corrected since original release ] The krb5_aname_to_localname() library function contains multiple buffer overflows which could be exploited to gain unauthorized root access. Exploitation of these flaws requires an unusual combination of factors, including successful authentication to a vulnerable service and a non-default configuration on the target service. (See MITIGATING FACTORS below.) No exploits are known to exist yet. IMPACT ====== A remote attacker can potentially execute arbitrary code on hosts running vulnerable services. MITIGATING FACTORS ================== Only configurations which enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are vulnerable. These configurations are not the default, and we believe that they are uncommon. If the explicit mapping functionality is enabled, an attacker must authenticate using a principal name listed in the explicit mapping list. If the rules-based mapping functionality is enabled, an attacker must be able to create arbitrary principal names either in the local Kerberos realm or in a remote realm from which the local realm's services are reachable by cross-realm authentication. AFFECTED SOFTWARE ================= All releases of MIT Kerberos 5, up to and including krb5-1.3.3. The upcoming krb5-1.3.4 release will contain a fix for this problem. Affected services contained in these releases include the remote login applications (e.g., ftp, rsh, rlogin, telnet), as well as ksu. Third-party application servers using the affected functionality of the krb5 library may be vulnerable. These services are only vulnerable in non-default configurations. To learn if a configuration is vulnerable, examine the /etc/krb5.conf or other relevant krb5 configuration file, and look for entries of the (explicit mapping) form: auth_to_local_names = { aname = lname } or of the (rule-based mapping) form: auth_to_local = RULE:foo within a realm subsection. FIXES ===== * If you are using the vulnerable functionality, consider disabling it immediately. Complete disabling of any configuration of explicit mapping or rules-based mapping should prevent exploitation. * The upcoming krb5-1.3.4 release will contain a fix for this problem. * Apply the following patch to src/lib/krb5/os/an_to_ln.c, and recompile the affected libraries and applications. Index: an_to_ln.c =================================================================== RCS file: /cvs/krbdev/krb5/src/lib/krb5/os/an_to_ln.c,v retrieving revision 5.39 diff -c -r5.39 an_to_ln.c *** an_to_ln.c 3 Sep 2002 19:29:34 -0000 5.39 - --- an_to_ln.c 2 Jun 2004 22:04:21 -0000 *************** *** 270,278 **** * If no regcomp() then just return the input string verbatim in the output * string. */ ! static void do_replacement(char *regexp, char *repl, int doall, char *in, char *out) { #if HAVE_REGCOMP regex_t match_exp; regmatch_t match_match; - --- 270,283 ---- * If no regcomp() then just return the input string verbatim in the output * string. */ ! #define use_bytes(x) \ ! out_used += (x); \ ! if (out_used > MAX_FORMAT_BUFFER) goto mem_err ! ! static int do_replacement(char *regexp, char *repl, int doall, char *in, char *out) { + size_t out_used = 0; #if HAVE_REGCOMP regex_t match_exp; regmatch_t match_match; *************** *** 287,303 **** do { if (!regexec(&match_exp, cp, 1, &match_match, 0)) { if (match_match.rm_so) { strncpy(op, cp, match_match.rm_so); op += match_match.rm_so; } strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(op); cp += match_match.rm_eo; ! if (!doall) strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 1; } else { strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } - --- 292,313 ---- do { if (!regexec(&match_exp, cp, 1, &match_match, 0)) { if (match_match.rm_so) { + use_bytes(match_match.rm_so); strncpy(op, cp, match_match.rm_so); op += match_match.rm_so; } + use_bytes(strlen(repl)); strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(op); cp += match_match.rm_eo; ! if (!doall) { ! use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); + } matched = 1; } else { + use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } *************** *** 322,338 **** sdispl = (size_t) (loc1 - cp); edispl = (size_t) (loc2 - cp); if (sdispl) { strncpy(op, cp, sdispl); op += sdispl; } strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(repl); cp += edispl; ! if (!doall) strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 1; } else { strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } - --- 332,353 ---- sdispl = (size_t) (loc1 - cp); edispl = (size_t) (loc2 - cp); if (sdispl) { + use_bytes(sdispl); strncpy(op, cp, sdispl); op += sdispl; } + use_bytes(strlen(repl)); strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); op += strlen(repl); cp += edispl; ! if (!doall) { ! use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); + } matched = 1; } else { + use_bytes(strlen(cp)); strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); matched = 0; } *************** *** 340,346 **** - --- 355,369 ---- #else /* HAVE_REGEXP_H */ memcpy(out, in, MAX_FORMAT_BUFFER); #endif /* HAVE_REGCOMP */ + return 1; + mem_err: + #ifdef HAVE_REGCMP + regfree(&match_exp); + #endif + return 0; + } + #undef use_bytes /* * aname_replacer() - Perform the specified substitutions on the input *************** *** 412,418 **** /* Do the replacemenbt */ memset(out, '\0', MAX_FORMAT_BUFFER); ! do_replacement(rule, repl, doglobal, in, out); free(rule); free(repl); - --- 435,446 ---- /* Do the replacemenbt */ memset(out, '\0', MAX_FORMAT_BUFFER); ! if (!do_replacement(rule, repl, doglobal, in, out)) { ! free(rule); ! free(repl); ! kret = KRB5_LNAME_NOTRANS; ! break; ! } free(rule); free(repl); *************** *** 459,464 **** - --- 487,493 ---- char *fprincname; char *selstring = 0; int num_comps, compind; + size_t selstring_used; char *cout; krb5_data *datap; char *outstring; *************** *** 479,484 **** - --- 508,514 ---- */ current = strchr(current, ':'); selstring = (char *) malloc(MAX_FORMAT_BUFFER); + selstring_used = 0; if (current && selstring) { current++; cout = selstring; *************** *** 497,502 **** - --- 527,540 ---- aname, compind-1)) ) { + if ((datap->length < MAX_FORMAT_BUFFER) + && (selstring_used+datap->length + < MAX_FORMAT_BUFFER)) { + selstring_used += datap->length; + } else { + kret = ENOMEM; + goto errout; + } strncpy(cout, datap->data, (unsigned) datap->length); *************** *** 527,533 **** else kret = KRB5_CONFIG_BADFORMAT; ! if (kret) free(selstring); } } - --- 565,571 ---- else kret = KRB5_CONFIG_BADFORMAT; ! errout: if (kret) free(selstring); } } *************** *** 643,649 **** const char *hierarchy[5]; char **mapping_values; int i, nvalid; ! char *cp; char *typep, *argp; unsigned int lnsize; - --- 681,687 ---- const char *hierarchy[5]; char **mapping_values; int i, nvalid; ! char *cp, *s; char *typep, *argp; unsigned int lnsize; *************** *** 677,687 **** /* Just use the last one. */ /* Trim the value. */ ! cp = &mapping_values[nvalid-1] ! [strlen(mapping_values[nvalid-1])]; ! while (isspace((int) (*cp))) cp--; ! cp++; ! *cp = '\0'; /* Copy out the value if there's enough room */ if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize) - --- 715,728 ---- /* Just use the last one. */ /* Trim the value. */ ! s = mapping_values[nvalid-1]; ! cp = s + strlen(s); ! while (cp > s) { ! cp--; ! if (!isspace((int)(*cp))) ! break; ! *cp = '\0'; ! } /* Copy out the value if there's enough room */ if (strlen(mapping_values[nvalid-1])+1 <= (size_t) lnsize) The patch was generated against krb5-1.3.3; it may apply, with some offset, to other releases. This patch may also be found at: http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/advisories/2004-001-an_to_ln_patch.txt.asc REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CERT VU#686862: http://www.kb.cert.org/vuls/id/686862 ACKNOWLEDGMENTS =============== Thanks to Christopher Nebergall for finding the single-byte overflow. Thanks to Nico Williams for finding a vulnerability in the rules-based mapping. Thanks to Matt Crawford, John Hascall, and CERT for useful comments. Thanks to Bill Dodd for correcting an error in a prior patch. DETAILS ======= krb5_aname_to_localname() translates a Kerberos principal name to a local account name, typically a UNIX username. In the file src/lib/krb5/os/an_to_ln.c, the helper functions aname_replacer(), do_replacement(), and rule_an_to_ln() do not perform adequate checks of the lengths of strings which contain the name of the principal whose authorization is being checked. This can result in the overflow of heap buffers when an attacker authenticates using a sufficiently long principal name. In addition, the implementation of the explicit mapping functionality in krb5_aname_to_localname() consistently writes a zero byte at a location one byte past the end of a heap buffer when handling a principal name matching an explicit mapping. Single-byte overflows of heap buffers are known to be exploitable on some architectures. The vulnerability in the explicit mapping functionality was fixed around December 2003 in the development sources, but the fix was not propagated to the krb5-1.3.x release branch. REVISION HISTORY ================ 2004-06-02 patch updated to fix error 2004-06-01 original release
Copyright (C) 2004 Massachusetts Institute of Technology [***** End MIT krb5 Security Advisory 2004-001 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of MIT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-145: Red Hat Updated Kernel Packages for Enterprise Linux 3 O-146: kdelibs Package Vulnerabilities O-147: Linux CVS Server Heap Overflow Vulnerability O-148: Linux Neon and Cadaver Buffer Overflow Vulnerability O-149: Norton AntiVirus 2004 ActiveX Control Vulnerability O-150: Multiple Security Problems in Ethereal 0.10.3 O-151: Apple Mac OS X Help Viewer Vulnerability O-152: HP OpenView Select Access Remote Unauthorized Access O-153: Oracle E-Business Suite SQL Injection Vulnerability O-154: Microsoft – Crystal Reports Web Viewer Information Disclosure Vulnerability