• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: KTH Kerberos 4 Arbitrary Proxy Usage Vulnerability

Severity: MODERATE

Description:

Kerberos is a widely used network service authentication system. The version of Kerberos developed and maintained by KTH (Swedish Royal Institute of Technology) contains a vulnerability that may allow/assist in a local or remote root compromise.

KTH Kerberos uses an environment variable called 'krb4_proxy' when a proxy server is required to retrieve tickets via HTTP. KTH Kerberos-supported services will contact the supplied proxy server (the value of krb4_proxy) instead of the default Kerberos server if this variable is set.

It is possible for malicious remote users (before authenticating) to remotely set the value of this variable and have the server program contact a fake Kerberos server. This would allow the attacker to intercept authentication requests and/or send false replies to the service they are attempting to use. An attacker, for example, could send the environment variable via telnet to a Kerberos supporting telnet daemon.

This attack allows malicious users in control of a fake Kerberos server to exploit a buffer overflow vulnerability (See Bugtraq ID 2091) in the Kerberos shared libraries with malformed replies. If exploited, the combined vulnerabilities may provide remote root access to attackers.

Affected Products:

• KTH Kerberos 4 0.0.00.0
• KTH Kerberos 4 0.1.0
• KTH Kerberos 4 0.10.0
• KTH Kerberos 4 0.10.1
• KTH Kerberos 4 0.5.0
• KTH Kerberos 4 0.6.0
• KTH Kerberos 4 0.7.0
• KTH Kerberos 4 0.8.0
• KTH Kerberos 4 0.9.0
• KTH Kerberos 4 0.9.1
• KTH Kerberos 4 0.9.2
• KTH Kerberos 4 0.9.2a
• KTH Kerberos 4 0.9.3
• KTH Kerberos 4 0.9.5
• KTH Kerberos 4 0.9.6
• KTH Kerberos 4 0.9.6+patches
• KTH Kerberos 4 0.9.7
• KTH Kerberos 4 0.9.8
• KTH Kerberos 4 0.9.9
• KTH Kerberos 4 1.0.0
• KTH Kerberos 4 1.0.0-1.0.1
• KTH Kerberos 4 1.0.1
• KTH Kerberos 4 1.0.1-1
• KTH Kerberos 4 1.0.2
• KTH Kerberos 4 1.0.3
• KTH Kerberos 4 1.0.3-1
• KTH Kerberos 4 1.0.3-1.0

References:

• Swedish Royal Institute of Technology: KTH Kerberos Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.