J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1537
    posted: 11/06/09
  • NSM Daily Update #1537
    posted: 11/06/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1537
    posted: 11/06/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/06/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/05/09

Title: MIT Kerberos 5 KAdminD Server RPC Type Conversion Stack Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Kerberos is a network-authentication protocol; 'kadmind' (Kerberos Administration Daemon) is the administration server for Kerberos networks.

Kerberos 5 'kadmind' is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Specifically, the problem is due to a type conversion in the 'gssrpc__svcauth_unix()' function from the 'src/lib/rpc/svc_auth_unix.c' RPC source file. The 'str_len' parameter is defined as a signed integer, but receives an unsigned integer from 'IXDR_GET_U_LONG'. This type conversion causes a later 'MAX_MACHINE_NAME' limit size check to pass due to a negative value in the 'str_len' parameter. After the check is passed, the affected function makes a call to 'memmove()' using the affected parameter as the length size to a target stack memory buffer. This issue is very difficult to exploit due to the large number being passed to 'memmove()', which will likely cause a memory access fault before returning.

An attacker can exploit this issue to execute arbitrary code with administrative privileges. A successful attack can result in the complete compromise of the application. Failed attempts will likely result in denial-of-service conditions.

This issue also affects third-party applications using the affected RPC library.

All 'kadmind' servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

Kerberos 5 'kadmind' 1.6.1 and prior versions are vulnerable.

Affected Products:

  • Apple Mac OS X 10.3.9
  • Apple Mac OS X 10.4.10
  • Apple Mac OS X Server 10.3.9
  • Apple Mac OS X Server 10.4.10
  • Avaya AES 4.0
  • Avaya Message Networking
  • Avaya Message Networking MN 3.1
  • Avaya Messaging Storage Server MSS 3.0
  • Conectiva Linux 8.0.0
  • Debian Linux 3.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • Debian Linux 3.1.0
  • Debian Linux 3.1.0 alpha
  • Debian Linux 3.1.0 amd64
  • Debian Linux 3.1.0 arm
  • Debian Linux 3.1.0 hppa
  • Debian Linux 3.1.0 ia-32
  • Debian Linux 3.1.0 ia-64
  • Debian Linux 3.1.0 m68k
  • Debian Linux 3.1.0 mips
  • Debian Linux 3.1.0 mipsel
  • Debian Linux 3.1.0 ppc
  • Debian Linux 3.1.0 s/390
  • Debian Linux 3.1.0 sparc
  • Debian Linux 4.0
  • Debian Linux 4.0 alpha
  • Debian Linux 4.0 amd64
  • Debian Linux 4.0 arm
  • Debian Linux 4.0 hppa
  • Debian Linux 4.0 ia-32
  • Debian Linux 4.0 ia-64
  • Debian Linux 4.0 m68k
  • Debian Linux 4.0 mips
  • Debian Linux 4.0 mipsel
  • Debian Linux 4.0 powerpc
  • Debian Linux 4.0 s/390
  • Debian Linux 4.0 sparc
  • Foresight Linux Foresight Linux 1.1
  • Gentoo Linux
  • KTH Kerberos 4 0.0.00.0
  • KTH Kerberos 4 0.1.0
  • KTH Kerberos 4 0.10.0
  • KTH Kerberos 4 0.10.1
  • KTH Kerberos 4 0.5.0
  • KTH Kerberos 4 0.6.0
  • KTH Kerberos 4 0.7.0
  • KTH Kerberos 4 0.8.0
  • KTH Kerberos 4 0.9.0
  • KTH Kerberos 4 0.9.1
  • KTH Kerberos 4 0.9.2
  • KTH Kerberos 4 0.9.2a
  • KTH Kerberos 4 0.9.3
  • KTH Kerberos 4 0.9.5
  • KTH Kerberos 4 0.9.6
  • KTH Kerberos 4 0.9.6+patches
  • KTH Kerberos 4 0.9.7
  • KTH Kerberos 4 0.9.8
  • KTH Kerberos 4 0.9.9
  • KTH Kerberos 4 1.0.0
  • KTH Kerberos 4 1.0.0-1.0.1
  • KTH Kerberos 4 1.0.0.x
  • KTH Kerberos 4 1.0.1
  • KTH Kerberos 4 1.0.1-1
  • KTH Kerberos 4 1.0.2
  • KTH Kerberos 4 1.0.3
  • KTH Kerberos 4 1.0.3-1
  • KTH Kerberos 4 1.0.3-1.0
  • KTH Kerberos 4 1.0.4
  • KTH Kerberos 4 1.1.1
  • MIT Kerberos 4 1.0.0
  • MIT Kerberos 4 1.1.0
  • MIT Kerberos 4 4.0.0
  • MIT Kerberos 4 4.0.0 patch 10
  • MIT Kerberos 4 Protocol 0.0.0
  • MIT Kerberos 5 1.0.0
  • MIT Kerberos 5 1.0.6
  • MIT Kerberos 5 1.0.8
  • MIT Kerberos 5 1.1.0
  • MIT Kerberos 5 1.1.1
  • MIT Kerberos 5 1.2.0
  • MIT Kerberos 5 1.2.1
  • MIT Kerberos 5 1.2.2
  • MIT Kerberos 5 1.2.2 -beta1
  • MIT Kerberos 5 1.2.3
  • MIT Kerberos 5 1.2.4
  • MIT Kerberos 5 1.2.5
  • MIT Kerberos 5 1.2.6
  • MIT Kerberos 5 1.2.7
  • MIT Kerberos 5 1.2.8
  • MIT Kerberos 5 1.3.0
  • MIT Kerberos 5 1.3.0 -alpha1
  • MIT Kerberos 5 1.3.1
  • MIT Kerberos 5 1.3.2
  • MIT Kerberos 5 1.3.3
  • MIT Kerberos 5 1.3.4
  • MIT Kerberos 5 1.3.5
  • MIT Kerberos 5 1.3.6
  • MIT Kerberos 5 1.4.0
  • MIT Kerberos 5 1.4.1
  • MIT Kerberos 5 1.4.2
  • MIT Kerberos 5 1.4.3
  • MIT Kerberos 5 1.5.0
  • MIT Kerberos 5 1.5.1
  • MIT Kerberos 5 1.5.2
  • MIT Kerberos 5 1.5.3
  • MIT Kerberos 5 1.5.4
  • MIT Kerberos 5 1.6.0
  • MIT Kerberos 5 1.6.1
  • MandrakeSoft Corporate Server 2.1.0
  • MandrakeSoft Corporate Server 2.1.0 x86_64
  • MandrakeSoft Corporate Server 3.0.0
  • MandrakeSoft Corporate Server 3.0.0 x86_64
  • MandrakeSoft Corporate Server 4.0
  • MandrakeSoft Corporate Server 4.0.0 x86_64
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 10.0.0 amd64
  • MandrakeSoft Linux Mandrake 10.1.0
  • MandrakeSoft Linux Mandrake 10.1.0 x86_64
  • MandrakeSoft Linux Mandrake 2007.0
  • MandrakeSoft Linux Mandrake 2007.0 x86_64
  • MandrakeSoft Linux Mandrake 2007.1
  • MandrakeSoft Linux Mandrake 2007.1 x86_64
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Linux Mandrake 9.0.0
  • MandrakeSoft Linux Mandrake 9.1.0
  • MandrakeSoft Linux Mandrake 9.1.0 ppc
  • MandrakeSoft Linux Mandrake 9.2.0
  • MandrakeSoft Linux Mandrake 9.2.0 amd64
  • MandrakeSoft Multi Network Firewall 2.0.0
  • Novell KDC (Key Distribution Center) 1.0
  • Novell KDC (Key Distribution Center) 1.0.2
  • OpenAFS OpenAFS 1.0.0
  • OpenAFS OpenAFS 1.0.1
  • OpenAFS OpenAFS 1.0.2
  • OpenAFS OpenAFS 1.0.3
  • OpenAFS OpenAFS 1.0.4
  • OpenAFS OpenAFS 1.0.4 a
  • OpenAFS OpenAFS 1.1.0
  • OpenAFS OpenAFS 1.1.1
  • OpenAFS OpenAFS 1.1.1 a
  • OpenAFS OpenAFS 1.2.0
  • OpenAFS OpenAFS 1.2.1
  • OpenAFS OpenAFS 1.2.2
  • OpenAFS OpenAFS 1.2.2 a
  • OpenAFS OpenAFS 1.2.2 b
  • OpenAFS OpenAFS 1.2.3
  • OpenAFS OpenAFS 1.2.4
  • OpenAFS OpenAFS 1.2.5
  • OpenAFS OpenAFS 1.2.6
  • OpenAFS OpenAFS 1.2.7
  • OpenAFS OpenAFS 1.2.8
  • OpenAFS OpenAFS 1.3.0
  • OpenAFS OpenAFS 1.3.1
  • OpenAFS OpenAFS 1.3.2
  • OpenBSD OpenBSD 3.1
  • OpenBSD OpenBSD 3.2
  • RedHat Advanced Workstation for the Itanium Processor 2.1.0
  • RedHat Desktop 3.0.0
  • RedHat Desktop 4.0.0
  • RedHat Enterprise Linux 5 server
  • RedHat Enterprise Linux AS 2.1
  • RedHat Enterprise Linux AS 3
  • RedHat Enterprise Linux AS 4
  • RedHat Enterprise Linux Desktop 5 client
  • RedHat Enterprise Linux Desktop Workstation 5 client
  • RedHat Enterprise Linux ES 2.1
  • RedHat Enterprise Linux ES 3
  • RedHat Enterprise Linux ES 4
  • RedHat Enterprise Linux WS 2.1
  • RedHat Enterprise Linux WS 3
  • RedHat Enterprise Linux WS 4
  • RedHat Fedora Core1
  • RedHat Fedora Core2
  • RedHat Fedora Core3
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.1.0
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.2.0
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 ia64
  • RedHat Linux 7.3.0
  • RedHat Linux 7.3.0 i386
  • RedHat Linux 8.0.0
  • RedHat Linux 8.0.0 i386
  • RedHat Linux 9.0.0 i386
  • SGI ProPack 3.0.0 SP6
  • SuSE Linux 10.0
  • SuSE Linux 10.1
  • SuSE SLE SDK 10
  • SuSE SLED 10.0
  • SuSE SLES 10
  • SuSE openSUSE 10.2
  • Trustix Secure Enterprise Linux 2.0.0
  • Trustix Secure Linux 2.1.0
  • Trustix Secure Linux 2.2.0
  • Trustix Secure Linux 3.0.0
  • Trustix Secure Linux 3.0.5
  • Turbolinux Appliance Server 2.0
  • Turbolinux Home
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Turbolinux 10 F...
  • Turbolinux Turbolinux Desktop 10.0.0
  • Turbolinux Turbolinux Server 10.0.0
  • Turbolinux Turbolinux Server 10.0.0 x64
  • Turbolinux Turbolinux Server 8.0.0
  • Turbolinux Turbolinux Server 8.0.0
  • Ubuntu Ubuntu Linux 6.06 LTS amd64
  • Ubuntu Ubuntu Linux 6.06 LTS i386
  • Ubuntu Ubuntu Linux 6.06 LTS powerpc
  • Ubuntu Ubuntu Linux 6.06 LTS sparc
  • Ubuntu Ubuntu Linux 6.10 amd64
  • Ubuntu Ubuntu Linux 6.10 i386
  • Ubuntu Ubuntu Linux 6.10 powerpc
  • Ubuntu Ubuntu Linux 6.10 sparc
  • Ubuntu Ubuntu Linux 7.04 amd64
  • Ubuntu Ubuntu Linux 7.04 i386
  • Ubuntu Ubuntu Linux 7.04 powerpc
  • Ubuntu Ubuntu Linux 7.04 sparc
  • VMWare ESX Server 2.0.2
  • VMWare ESX Server 2.0.2 Patch 1
  • VMWare ESX Server 2.0.2 Patch 2
  • VMWare ESX Server 2.0.2 Patch 4
  • VMWare ESX Server 2.0.2 Patch 5
  • VMWare ESX Server 2.1.3
  • VMWare ESX Server 2.1.3 Patch 1
  • VMWare ESX Server 2.1.3 Patch 2
  • VMWare ESX Server 2.1.3 Patch 4
  • VMWare ESX Server 2.1.3 Patch 5
  • VMWare ESX Server 2.5.3
  • VMWare ESX Server 2.5.3 Patch 2
  • VMWare ESX Server 2.5.3 Patch 4
  • VMWare ESX Server 2.5.3 Patch 5
  • VMWare ESX Server 2.5.3 Patch 6
  • VMWare ESX Server 2.5.3 Patch 7
  • VMWare ESX Server 2.5.3 Patch 8
  • VMWare ESX Server 2.5.4
  • VMWare ESX Server 2.5.4 Patch 1
  • VMWare ESX Server 2.5.4 Patch 3
  • VMWare ESX Server 2.5.4 Patch 5
  • VMWare ESX Server 3.0.0
  • VMWare ESX Server 3.0.1
  • VMWare ESX Server 3.0.2
  • WireX Immunix OS 7+
  • rPath rPath Linux 1

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.