CVE-2004-0772
CVSS7.5
发布时间 :2004-10-20 00:00:00
修订时间 :2016-10-17 22:48:54
NMCOP    

[原文]Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.


[CNNVD]MIT Kerberos 5多个多个释放漏洞(CNNVD-200410-072)

        MIT Kerberos 5 (krb5) 1.2.8版本及之前版本的krb524d中的错误操作代码存在双重释放漏洞。远程攻击者可以执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:mit:kerberos:5_1.1.1MIT Kerberos 5 1.1.1
cpe:/a:mit:kerberos:5-1.3MIT Kerberos 5 1.3
cpe:/a:mit:kerberos:5-1.2.3MIT Kerberos 5 1.2.3
cpe:/a:mit:kerberos:5-1.3.2MIT Kerberos 5 1.3.2
cpe:/a:mit:kerberos:5-1.2.4MIT Kerberos 5 1.2.4
cpe:/a:mit:kerberos:5-1.3.3MIT Kerberos 5 1.3.3
cpe:/a:mit:kerberos:5_1.0.6MIT Kerberos 5 1.0.6
cpe:/a:mit:kerberos:1.0.8mit
cpe:/a:mit:kerberos:5-1.2.1MIT Kerberos 5 1.2.1
cpe:/a:mit:kerberos:5-1.2.2MIT Kerberos 5 1.2.2
cpe:/a:mit:kerberos:5-1.3.1MIT Kerberos 5 1.3.1
cpe:/a:mit:kerberos:5-1.2.7MIT Kerberos 5 1.2.7
cpe:/a:mit:kerberos:5-1.2.8MIT Kerberos 5 1.2.8
cpe:/a:mit:kerberos:1.0
cpe:/a:mit:kerberos:5-1.2.5MIT Kerberos 5 1.2.5
cpe:/a:mit:kerberos:5-1.3.4MIT Kerberos 5 1.3.4
cpe:/a:mit:kerberos:5-1.2.6MIT Kerberos 5 1.2.6
cpe:/a:mit:kerberos:5-1.3:alpha1MIT Kerberos 5 1.3 alpha1
cpe:/a:mit:kerberos:1.2.2.beta1
cpe:/a:mit:kerberos:5-1.2MIT Kerberos 5 1.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:4661MIT Kerberos 5 Multiple Double-Free Vulnerabilities
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0772
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0772
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-072
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000860
(UNKNOWN)  CONECTIVA  CLA-2004:860
http://marc.info/?l=bugtraq&m=109508872524753&w=2
(UNKNOWN)  BUGTRAQ  20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos)
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt
(VENDOR_ADVISORY)  CONFIRM  http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt
http://www.debian.org/security/2004/dsa-543
(UNKNOWN)  DEBIAN  DSA-543
http://www.gentoo.org/security/en/glsa/glsa-200409-09.xml
(UNKNOWN)  GENTOO  GLSA-200409-09
http://www.kb.cert.org/vuls/id/350792
(UNKNOWN)  CERT-VN  VU#350792
http://www.mandriva.com/security/advisories?name=MDKSA-2004:088
(UNKNOWN)  MANDRAKE  MDKSA-2004:088
http://www.securityfocus.com/bid/11078
(UNKNOWN)  BID  11078
http://www.trustix.net/errata/2004/0045/
(UNKNOWN)  TRUSTIX  2004-0045
http://www.us-cert.gov/cas/techalerts/TA04-247A.html
(VENDOR_ADVISORY)  CERT  TA04-247A
http://xforce.iss.net/xforce/xfdb/17158
(VENDOR_ADVISORY)  XF  kerberos-krb524d-double-free(17158)

- 漏洞信息

MIT Kerberos 5多个多个释放漏洞
高危 设计错误
2004-10-20 00:00:00 2005-10-20 00:00:00
远程  
        MIT Kerberos 5 (krb5) 1.2.8版本及之前版本的krb524d中的错误操作代码存在双重释放漏洞。远程攻击者可以执行任意代码。

- 公告与补丁

        The vendor has released an advisory (MITKRB5-SA-2004-002) along with patches to resolve these issues. Please see the referenced advisory for further information.
        Debian GNU/Linux has released an advisory (DSA 543-1) along with fixes to address these and other issues. Please see the referenced advisory for further information.
        RedHat Linux has released advisory RHSA-2004:350-12 along with fixes to address these and other issues in RedHat Enterprise Linux operating systems. Please see the referenced advisory for further information.
        RedHat Linux has released advisories (FEDORA-2004-276, and FEDORA-2004-277) to address these and other issues for RedHat Fedora Core 1 and 2 respectively. Please see the referenced advisories for further information.
        Cisco has released an advisory (cisco-sa-20040831-krb5) to address these and other issues for Cisco VPN 3000 series products. Please see the referenced advisory for further information on obtaining fixes.
        Mandrake has released an advisory (MDKSA-2004:088) and fixes to address these issues. Please see the referenced advisory for further information on obtaining fixes.
        Trustix has released an advisory (TSL-2004-0045) to address various issues in kerberos5. Please see the referenced advisory for more information.
        Gentoo advisory available. Users are advised to upgrade by performing the following steps:
         emerge sync
         emerge -pv ">=app-crypt/mit-krb5-1.3.4"
         emerge ">=app-crypt/mit-krb5-1.3.4"
        Conectiva has made advisory CLSA-2004:860 along with fixes available resolving these and other issues. Please see the referenced advisory for more information.
        Avaya has released advisory ASA-2004-039 dealing with these issues. Please see the referenced web advisory for more information.
        OpenPKG has released advisory OpenPKG-SA-2004.039 to address these, and other issues. Please see the referenced advisory for further information.
        Turbolinux has released advisory TLSA-2004-22 to address these, and other issues. Please see the referenced advisory for further information.
        Sun has released Security Alert ID 57631 along with fixes for these issues. Please see the web reference for more information. On 24 Sept 2004, Sun withdrew patch 112908-15. On 28 Sept 2004, the patch has become available again with an updated Security Alert.
        IBM has released an advisory (2004-09-30-ASN.1) to address these issues in AIX. Please see the referenced advisory for more information about obtaining fixes.
        IBM has released information about some of these issues affecting IBM Tivoli Access Manager for e-business version 5.1. Please see the IBM 'MIT Kerberos 5 Vulnerabilities' reference in Web references for more information about obtaining fixes.
        Apple has released an advisory (APPLE-SA-2004-12-02) dealing with this and other issues. Please see the referenced advisory for more information.
        Fedora Legacy has released security advisory FLSA:154276 addressing this issue for RedHat Linux 7.3 and 9, and for Fedora Core 1. Please see the referenced advisory for details on obtaining and applying the appropriate updates.
        
        Sun SEAM 1.0.2
        
        MIT Kerberos 5 1.2.4
        

- 漏洞信息 (F34229)

mit-2004-002.txt (PacketStormID:F34229)
2004-09-08 00:00:00
 
advisory,remote,arbitrary,vulnerability
CVE-2004-0642,CVE-2004-0772,CVE-2004-0643
[点击下载]

MIT krb5 Security Advisory 2004-002 - The MIT Kerberos 5 implementation's Key Distribution Center (KDC) program contains a double-free vulnerability that potentially allows a remote attacker to execute arbitrary code. Compromise of a KDC host compromises the security of the entire authentication realm served by the KDC. Additionally, double-free vulnerabilities exist in MIT Kerberos 5 library code, making client programs and application servers vulnerable.

-----BEGIN PGP SIGNED MESSAGE-----

                 MIT krb5 Security Advisory 2004-002

Original release: 2004-08-31

Topic: double-free vulnerabilities in KDC and libraries

Severity: CRITICAL

SUMMARY
=======

The MIT Kerberos 5 implementation's Key Distribution Center (KDC)
program contains a double-free vulnerability that potentially allows a
remote attacker to execute arbitrary code.  Compromise of a KDC host
compromises the security of the entire authentication realm served by
the KDC.  Additionally, double-free vulnerabilities exist in MIT
Kerberos 5 library code, making client programs and application
servers vulnerable.

Exploitation of double-free bugs is believed to be difficult.  No
exploits are known to exist for these vulnerabilities.

IMPACT
======

* A unauthenticated remote attacker can potentially execute arbitrary
  code on a KDC host, compromising an entire Kerberos
  realm. [CAN-2004-0642]

* A remote attacker can potentially execute arbitrary code on a host
  running krb524d, possibly compromising an entire Kerberos realm if
  the host is a KDC host. [CAN-2004-0772]

* An authenticated attacker can also potentially execute arbitrary
  code on hosts running vulnerable services. [CAN-2004-0643]

* An attacker impersonating a legitimate KDC or application server can
  potentially execute arbitrary code on a client host while the client
  is authenticating. [CAN-2004-0642]

AFFECTED SOFTWARE
=================

* KDC software from all releases of MIT Kerberos 5 up to and including
  krb5-1.3.4. [CAN-2004-0642]

* The krb524d program from krb5-1.2.8 and later.  The krb524d present
  in earlier releases is vulnerable if it has been patched to disable
  krb4 cross-realm functionality. [CAN-2004-0772]

* Applications calling the krb5_rd_cred() function in releases prior
  to krb5-1.3.2.  Such applications in the MIT krb5 releases include
  the remote login daemons (krshd, klogind, and telnetd) and the FTP
  daemon. The krb5_rd_cred() function decrypts and decodes forwarded
  Kerberos credentials.  Third-party applications calling this
  function directly or indirectly (by means of the GSSAPI or other
  libraries) are vulnerable. [CAN-2004-0643]

* Client code from all releases of MIT Kerberos 5 up to and including
  krb5-1.3.4.  Third-party applications directly or indirectly calling
  client library functions may also be vulnerable. [CAN-2004-0642]

FIXES
=====

* The upcoming krb5-1.3.5 release will contain fixes for these
  problems.

* Apply the appropriate patch or patches referenced below, and rebuild
  the software.

  - If you are running krb5-1.3 through krb5-1.3.4, apply
    2004-002-patch_1.3.4.txt.

  - If you are running krb5-1.3 through krb5-1.3.1, apply
    2004-002-patch_1.3.1.txt.

  - If you are running krb5-1.2.8, apply
    2004-002-patch_1.2.8.txt.

  - Things become more complicated if you are running krb5-1.2 through
    krb5-1.2.7.  The correct set of patches to apply will depend on
    whether you have applied the patches to disable krb4 cross-realm
    functionality [MITKRB5-SA-2003-004].

    + If you are running krb5-1.2.6 through krb5-1.2.7, and have
      applied the patches to disable krb4 cross-realm functionality,
      apply 2004-002-patch_1.2.8.txt.

    + If you are running krb5-1.2 through krb5-1.2.5, and have applied
      the patches to disable krb4 cross-realm functionality, apply
      2004-002-patch_1.2.7.txt, followed by
      2004-002-k524d_patch_1.2.5.txt.

    + If you are running krb5-1.2 through krb5-1.2.7, and have not
      applied the patches to disable krb4 cross-realm functionality,
      apply 2004-002-patch_1.2.7.txt.

Summary chart of patches to apply for releases krb5-1.2 through krb5-1.2.7:

            | patched for 2003-004           | not patched for 2003-004
 -----------+--------------------------------+--------------------------
 krb5-1.2.7 |                                |
 -----------+ 2004-002-patch_1.2.8.txt       |
 krb5-1.2.6 |                                |
 -----------+--------------------------------+ 2004-002-patch_1.2.7.txt
 krb5-1.2.5 | 2004-002-patch_1.2.7.txt       |
 through    |     and                        |
 krb5-1.2   | 2004-002-k524d_patch_1.2.5.txt |

Patches available:

* Patch for krb5-1.3.4 (2004-002-patch_1.3.4.txt)

* Patch for krb5-1.3.1 (2004-002-patch_1.3.1.txt)

* Patch for krb5-1.2.8 (2004-002-patch_1.2.8.txt)

* Patch for krb5-1.2.7 (2004-002-patch_1.2.7.txt)

* Patch for krb524d in krb5-1.2.5 which has been previously patched
  to disable krb4 cross-realm (2004-002-k524d_patch_1.2.5.txt)

Note: Each patch are generated against the specific release noted
above.  The patches may apply with some offset against other
compatible releases listed above.

2004-002-patch_1.3.4.txt
========================

  http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.4.txt.asc

2004-002-patch_1.3.1.txt
========================

  http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2004-002-patch_1.3.1.txt.asc

2004-002-patch_1.2.8.txt
========================

  http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.8.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2004-002-patch_128.txt.asc

2004-002-patch_1.2.7.txt
========================

  http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2004-002-patch_1.2.7.txt.asc

2004-002-k524d_patch_1.2.5.txt
==============================

  http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2004-002-k524d_patch_1.2.5.txt.asc

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CERT VU#795632

        http://www.kb.cert.org/vuls/id/795632

CVE CAN-2004-0642

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642

        KDC and client libraries double-free on error conditions in
        MIT Kerberos 5 releases krb5-1.3.4 and earlier, allowing
        unauthenticated remote attackers to execute arbitrary code

CERT VU#866472

        http://www.kb.cert.org/vuls/id/866472

CVE CAN-2004-0643

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643

        krb5_rd_cred() double-frees on error conditions in MIT
        Kerberos 5 releases krb5-1.3.1 and earlier, allowing
        authenticated attackers to execute arbitrary code

VU#350792

        http://www.kb.cert.org/vuls/id/350792

CVE CAN-2004-0772

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772

        krb524d in krb5-1.2.8 and later double-frees on error
        conditions, allowing remote attackers to execute arbitrary
        code.  Earlier releases patched for the krb4 protocol
        vulnerability [MITKRB5-SA-2003-004] are also vulnerable.

ACKNOWLEDGMENTS
===============

Thanks to Will Fiveash and Nico Williams at Sun for finding some of
these vulnerabilities and for providing initial patches.

Thanks to Marc Horowitz for discovering the krb524d vulnerability.

Thanks to Nalin Dahyabhai for providing a corrected patch for krb524d
in releases krb5-1.2 through krb5-1.2.5 in cases where krb524d has
been patched to disable krb4 cross-realm functionality.

Thanks to Joseph Galbraith and John Hawkinson, who both independently
discovered the double-free in krb5_rd_cred() which was corrected in
release krb5-1.3.2.

DETAILS
=======

In the MIT krb5 library, in all releases up to and including
krb5-1.3.4, ASN.1 decoder functions and their callers do not use a
consistent set of memory management conventions.  The callers expect
the decoders to allocate memory.  The callers typically have
error-handling code which frees memory allocated by the ASN.1 decoders
if pointers to the allocated memory are non-null.  Upon encountering
error conditions, the ASN.1 decoders themselves free memory which they
have allocated, but do not null the corresponding pointers.  When some
library functions receive errors from the ASN.1 decoders, they attempt
to pass the non-null pointer (which points to freed memory) to free(),
causing a double-free.

In all releases of MIT krb5 up to and including krb5-1.3.4, cleanup
code in the KDC frees memory returned by ASN.1 decoders.  This cleanup
code only frees memory pointed to by non-null pointers, but if an
ASN.1 decoder returns an error, the cleanup code will free memory
previously freed by the decoder.

Implementations of krb5_rd_cred() prior to the krb5-1.3.2 release
contained code to explicitly free the buffer returned by the ASN.1
decoder function decode_krb5_enc_cred_part() when the decoder returns
an error.  This is another double-free, since the decoder would itself
free the buffer on error.  Since decode_krb5_enc_cred_part() does not
get called unless the decryption of the encrypted part of the KRB-CRED
is successful, the attacker needs to have authenticated.  This code
was corrected in the krb5-1.3.2 release.

The patch (introduced in krb5-1.2.8 and present in all subsequent
releases) for disabling krb4 cross-realm authentication in krb524d
introduced a double-free vulnerability.  If handle_classic_v4() denies
the conversion of a cross-realm ticket, v5tkt->enc_part2 gets freed
but not nulled, so do_connection() double-frees many things when it
subsequently calls krb5_free_ticket().

REVISION HISTORY
================

2004-08-31      original release

Copyright (C) 2004 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQTTAUabDgE/zdoE9AQHSFwP/S0bIduge4dDmZiTlDEUa5L1CjESpAq3O
905Ru47xTmKqKpCC6cpIxpFqeXZAZkc8HzIp4kaZUNJ3+cik2Mg+YSdP5mM9ys67
geZZoF6pufgh9Ym4gMK6YJjYxsJgSrEbcpgrYv710GEy1SqsE2o7O0Y5WSYv3Df+
8Nz22+QoVzw=
=dpRb
-----END PGP SIGNATURE-----
    

- 漏洞信息

9409
MIT Kerberos 5 krb524d Double-free Error Condition Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

MIT Kerberos contains a flaw that may allow a malicious user to execute arbitrary commands. The issue is due to a double-free condition inside the Key Distribution Center (KDC) code. Under some circumstances, a KDC host could be compromised by a remote attacker. No further details have been provided.

- 时间线

2004-08-31 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 5-1.3.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站