CVE-2004-1189
CVSS7.2
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:52:06
NMCOPS    

[原文]The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.


[CNNVD]MIT Kerberos 5管理库libkadm5srv远程堆溢出漏洞(CNNVD-200412-725)

        
        Kerberos是一款广泛使用的使用强壮的加密来验证客户端和服务器端的网络协议。
        MIT Kerberos 5管理库在密码历史处理代码中存在一个堆溢出,远程攻击者可以利用这个漏洞以进程权限执行任意指令。
        溢出发生在'src/lib/kadm5/srv/svr_principal.c'中的add_to_history()函数中,密码历史存储在一个缓冲区中,即adb->old_keys指向的osa_pw_ent_rec数组,adb->old_key_next是数组的一个索引,数组长度存在adb->old_key_len中,数组动态可调整大小并且没有独立头指针。
        策略历史计数存储在pol->pw_hist_num中,但是实际KEYS的最大值存在于adb->old_keys的是pol->pw_hist_num-1,因为当密码更改发生时,"current" key数据也用于历史的对比。
        如果adb->old_key_next小于pol->pw_hist_num-1,adb->old_key_next索引值允许指向adb->old_keys数组最后的一个位置。当后续调用add_to_history()增加数组时需要解决越界索引。
        在密码更改后如果pol->pw_hist_num递减为adb->old_key_next,就会引起adb->old_key_next索引越界,后续的密码更改将不会调用调整大小代码,add_to_history()函数就会写密码条目到adb->old_keys数组之后的位置。
        精心构建提交数据可能以进程权限执行任意指令。
        一般管理者需要执行部分密码更改操作才会建立这个受此漏洞影响的状态。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mit:kerberos:5-1.3.1MIT Kerberos 5 1.3.1
cpe:/a:mit:kerberos:5-1.3.5MIT Kerberos 5 1.3.5
cpe:/a:mit:kerberos:5-1.2MIT Kerberos 5 1.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11911The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1189
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1189
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-725
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000917
(UNKNOWN)  CONECTIVA  CLA-2005:917
http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-17
http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-15
http://marc.info/?l=bugtraq&m=110358420909358&w=2
(UNKNOWN)  BUGTRAQ  20041220 MITKRB5-SA-2004-004: heap overflow in libkadm5srv
http://marc.info/?l=bugtraq&m=110548298407590&w=2
(UNKNOWN)  BUGTRAQ  20050110 [USN-58-1] MIT Kerberos server vulnerability
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
(VENDOR_ADVISORY)  CONFIRM  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
http://www.mandriva.com/security/advisories?name=MDKSA-2004:156
(UNKNOWN)  MANDRAKE  MDKSA-2004:156
http://www.redhat.com/support/errata/RHSA-2005-012.html
(UNKNOWN)  REDHAT  RHSA-2005:012
http://www.redhat.com/support/errata/RHSA-2005-045.html
(UNKNOWN)  REDHAT  RHSA-2005:045
http://www.trustix.org/errata/2004/0069
(UNKNOWN)  TRUSTIX  2004-0069
http://xforce.iss.net/xforce/xfdb/18621
(UNKNOWN)  XF  kerberos-libkadm5srv-bo(18621)

- 漏洞信息

MIT Kerberos 5管理库libkadm5srv远程堆溢出漏洞
高危 边界条件错误
2004-12-31 00:00:00 2005-10-20 00:00:00
本地  
        
        Kerberos是一款广泛使用的使用强壮的加密来验证客户端和服务器端的网络协议。
        MIT Kerberos 5管理库在密码历史处理代码中存在一个堆溢出,远程攻击者可以利用这个漏洞以进程权限执行任意指令。
        溢出发生在'src/lib/kadm5/srv/svr_principal.c'中的add_to_history()函数中,密码历史存储在一个缓冲区中,即adb->old_keys指向的osa_pw_ent_rec数组,adb->old_key_next是数组的一个索引,数组长度存在adb->old_key_len中,数组动态可调整大小并且没有独立头指针。
        策略历史计数存储在pol->pw_hist_num中,但是实际KEYS的最大值存在于adb->old_keys的是pol->pw_hist_num-1,因为当密码更改发生时,"current" key数据也用于历史的对比。
        如果adb->old_key_next小于pol->pw_hist_num-1,adb->old_key_next索引值允许指向adb->old_keys数组最后的一个位置。当后续调用add_to_history()增加数组时需要解决越界索引。
        在密码更改后如果pol->pw_hist_num递减为adb->old_key_next,就会引起adb->old_key_next索引越界,后续的密码更改将不会调用调整大小代码,add_to_history()函数就会写密码条目到adb->old_keys数组之后的位置。
        精心构建提交数据可能以进程权限执行任意指令。
        一般管理者需要执行部分密码更改操作才会建立这个受此漏洞影响的状态。
        

- 公告与补丁

        厂商补丁:
        MIT
        ---
        * 后续发行的krb5-1.4 release会包含此漏洞的补丁,krb5-1.4-beta3 release同样包含此问题的修正。
        * 后续的krb5-1.3.6 patch release补丁将修正此问题。
        * 对src/lib/kadm5/srv/svr_principal.c采用如下补丁,并重新编译库和程序,此补丁针对krb5-1.3.5:
        
        http://web.mit.edu/kerberos/advisories/2004-004-patch_1.3.5.txt

        相关PGP签名可从如下地址获得:
        
        http://web.mit.edu/kerberos/advisories/2004-004-patch_1.3.5.txt.asc

        相关补丁内容:
        Index: svr_principal.c
        ===================================================================
        RCS file: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v
        retrieving revision 1.26.2.1
        diff -c -r1.26.2.1 svr_principal.c
        *** svr_principal.c 2 Sep 2003 18:58:56 -0000 1.26.2.1
        - --- svr_principal.c 20 Dec 2004 19:47:29 -0000
        ***************
        *** 1017,1022 ****
        - --- 1017,1025 ----
        
         memset(&adb->old_keys[adb->old_key_len],0,sizeof(osa_pw_hist_ent));
         adb->old_key_len++;
        + for (i = adb->old_key_len - 1; i > adb->old_key_next; i--)
        + adb->old_keys[i] = adb->old_keys[i - 1];
        + memset(&adb->old_keys[adb->old_key_next],0,sizeof(osa_pw_hist_ent));
         } else if (adb->old_key_len > pol->pw_history_num-1) {
         /*
         * The policy must have changed! Shrink the array.
        ***************
        *** 1039,1048 ****
         histp[i] = adb->old_keys[j];
         }
         /* Now free the ones we don't keep (the oldest ones) */
        ! for (i = 0; i < adb->old_key_len - (pol->pw_history_num - 1); i++)
         for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++)
         krb5_free_key_data_contents(context,
         &adb->old_keys[KADM_MOD(i)].key_data[j]);
         free((void *)adb->old_keys);
         adb->old_keys = histp;
         adb->old_key_len = pol->pw_history_num - 1;
        - --- 1042,1053 ----
         histp[i] = adb->old_keys[j];
         }
         /* Now free the ones we don't keep (the oldest ones) */
        ! for (i = 0; i < adb->old_key_len - (pol->pw_history_num-1); i++) {
         for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++)
         krb5_free_key_data_contents(context,
         &adb->old_keys[KADM_MOD(i)].key_data[j]);
        + free(adb->old_keys[KADM_MOD(i)].key_data);
        + }
         free((void *)adb->old_keys);
         adb->old_keys = histp;
         adb->old_key_len = pol->pw_history_num - 1;
        ***************
        *** 1052,1061 ****
        - --- 1057,1070 ----
         }
         }
        
        + if (adb->old_key_next + 1 > adb->old_key_len)
        + adb->old_key_next = 0;
        +
         /* free the old pw history entry if it contains data */
         histp = &adb->old_keys[adb->old_key_next];
         for (i = 0; i < histp->n_key_data; i++)
         krb5_free_key_data_contents(context, &histp->key_data[i]);
        + free(histp->key_data);
        
         /* store the new entry */
         adb->old_keys[adb->old_key_next] = *pw;

- 漏洞信息 (F35457)

libkadm5srv.txt (PacketStormID:F35457)
2004-12-31 00:00:00
 
advisory,overflow,arbitrary
CVE-2004-1189
[点击下载]

MIT krb5 Security Advisory 2004-004 - The MIT Kerberos 5 administration library (libkadm5srv) contains a heap buffer overflow in password history handling code which could be exploited to execute arbitrary code on a Key Distribution Center (KDC) host.

-----BEGIN PGP SIGNED MESSAGE-----

                 MIT krb5 Security Advisory 2004-004

Original release: 2004-12-20

Topic: heap buffer overflow in libkadm5srv

Severity: serious

SUMMARY
=======

The MIT Kerberos 5 administration library (libkadm5srv) contains a
heap buffer overflow in password history handling code which could be
exploited to execute arbitrary code on a Key Distribution Center (KDC)
host.  The overflow occurs during a password change of a principal
with a certain password history state.  An administrator must have
performed a certain password policy change in order to create the
vulnerable state.  (See MITIGATING FACTORS below.)

No exploits are known to exist at this time, though a public
discussion of the bug took place during the first weeks of December
2004, containing sufficient detail that someone could infer how to
perform an attack.  Exploitation of this vulnerability is believed to
be difficult, due to the limited extent of the overflow.

IMPACT
======

An authenticated user, not necessarily one with administrative
privileges, could execute arbitrary code on the KDC host, compromising
an entire Kerberos realm.  [CAN-2004-1189]

MITIGATING FACTORS
==================

* Typically, only a principal satisfying the following conditions can
  trigger the buffer overflow upon password change:

  + have changed its password fewer times than the history count in
    its password policy

  + had its password policy's history count subsequently reduced to
    equal the number of times it has changed its password

* There are other means of producing the vulnerable state, though they
  are significantly more complex and much less likely.  All of these
  other methods involve a reduction of the password history count in a
  password policy.

* A workaround exists (see FIXES).

AFFECTED SOFTWARE
=================

* KDC software on all releases of MIT krb5, up to and including
  krb5-1.3.5.  The vulnerable library is libkadm5srv.  Programs which
  use the vulnerable functionality of the library include:

  + kadmind (administration daemon)

  + kadmin.local (KDC-local administration client)

  + kadmind4 (krb4 compatibility administration daemon)

FIXES
=====

* WORKAROUND: Until your KDC programs and libraries have been patched,
  do not decrease the password history count on any policy in your
  Kerberos realm.  Also, if you have already decreased the password
  history count on a policy at some point in the past, you should
  raise it to the maximum value that it has had in the past.

* The upcoming krb5-1.4 release (currently in beta test) will contain
  fixes for this problem.  The krb5-1.4-beta3 release contains fixes
  for this problem.

* The upcoming krb5-1.3.6 patch release contains fixes for this
  problem.

* Apply the following patch to src/lib/kadm5/srv/svr_principal.c, and
  recompile the affected libraries and binaries.  This patch was
  generated against krb5-1.3.5, and may apply, with some offset, to
  earlier releases.

  This patch may also be found at:

  http://web.mit.edu/kerberos/advisories/2004-004-patch_1.3.5.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2004-004-patch_1.3.5.txt.asc

Index: svr_principal.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/kadm5/srv/svr_principal.c,v
retrieving revision 1.26.2.1
diff -c -r1.26.2.1 svr_principal.c
*** svr_principal.c	2 Sep 2003 18:58:56 -0000	1.26.2.1
- --- svr_principal.c	20 Dec 2004 19:47:29 -0000
***************
*** 1017,1022 ****
- --- 1017,1025 ----
  	  
  	  memset(&adb->old_keys[adb->old_key_len],0,sizeof(osa_pw_hist_ent)); 
       	  adb->old_key_len++;
+ 	  for (i = adb->old_key_len - 1; i > adb->old_key_next; i--)
+ 	      adb->old_keys[i] = adb->old_keys[i - 1];
+ 	  memset(&adb->old_keys[adb->old_key_next],0,sizeof(osa_pw_hist_ent));
       } else if (adb->old_key_len > pol->pw_history_num-1) {
  	 /*
  	  * The policy must have changed!  Shrink the array.
***************
*** 1039,1048 ****
  		 histp[i] = adb->old_keys[j];
  	     }
  	     /* Now free the ones we don't keep (the oldest ones) */
! 	     for (i = 0; i < adb->old_key_len - (pol->pw_history_num - 1); i++)
  		 for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++)
  		     krb5_free_key_data_contents(context,
  				&adb->old_keys[KADM_MOD(i)].key_data[j]);
  	     free((void *)adb->old_keys);
  	     adb->old_keys = histp;
  	     adb->old_key_len = pol->pw_history_num - 1;
- --- 1042,1053 ----
  		 histp[i] = adb->old_keys[j];
  	     }
  	     /* Now free the ones we don't keep (the oldest ones) */
! 	     for (i = 0; i < adb->old_key_len - (pol->pw_history_num-1); i++) {
  		 for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++)
  		     krb5_free_key_data_contents(context,
  				&adb->old_keys[KADM_MOD(i)].key_data[j]);
+ 		 free(adb->old_keys[KADM_MOD(i)].key_data);
+ 	     }
  	     free((void *)adb->old_keys);
  	     adb->old_keys = histp;
  	     adb->old_key_len = pol->pw_history_num - 1;
***************
*** 1052,1061 ****
- --- 1057,1070 ----
  	 }
       }
  
+      if (adb->old_key_next + 1 > adb->old_key_len)
+ 	 adb->old_key_next = 0;
+ 
       /* free the old pw history entry if it contains data */
       histp = &adb->old_keys[adb->old_key_next];
       for (i = 0; i < histp->n_key_data; i++)
  	  krb5_free_key_data_contents(context, &histp->key_data[i]);
+      free(histp->key_data);
       
       /* store the new entry */
       adb->old_keys[adb->old_key_next] = *pw;

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CERT VU#948033:

        http://www.kb.cert.org/vuls/id/948033

CVE CAN-2004-1189:

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1189

        Administration library in MIT Kerberos 5 release krb5-1.3.5
        and earlier has a heap buffer overflow in code which handles
        password history, possibly allowing authenticated attackers to
        execute arbitrary code on a KDC host.

ACKNOWLEDGMENTS
===============

Thanks to Michael Tautschnig for reporting this problem.

Thanks to Chaskiel Grundman and Luke Howard for providing debugging
help on the mailing list.

DETAILS
=======

The vulnerable function is add_to_history() in
src/lib/kadm5/srv/svr_principal.c.  The password history is stored as
a ring buffer, represented as an array of osa_pw_ent_rec, which is
adb->old_keys.  The "next" pointer is an index into the array,
adb->old_key_next, and the length of the array is stored in
adb->old_key_len.  The array is dynamically resized as needed, and
there is no separate head pointer.

The policy's history count is stored in pol->pw_hist_num, but the
actual maximum number of keys stored in adb->old_keys is
pol->pw_hist_num-1, since the "current" key data are also used for
history comparisons when a password change occurs.

The index value adb->old_key_next is permitted to index to a position
one past the end of the array adb->old_keys if adb->old_key_next is
less than pol->pw_hist_num-1.  This out-of-bounds indexing is usually
fixed up when add_to_history() enlarges the array on a subsequent
call.

If pol->pw_hist_num is reduced to adb->old_key_next after a password
change that causes adb->old_key_next to index out of bounds, a
subsequent password change will not run the resizing code, and
add_to_history() will write a password history entry past the end of
the array adb->old_keys.

REVISION HISTORY
================

2004-12-20      original release

Copyright (C) 2004 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQcdAH6bDgE/zdoE9AQEWogQAy7vS1GLO5gG/uX9rm15NUQEO5K07NaMu
MdwZhITIR0tg5aIR2eecon1ahgdDFrZELnZ3G/+ArhLqH+yvmskmOLZGmRHQ9Q0l
mMf4DbOWMQZgGNmbvTTAzg0GAuVYdw2+5acP7maj61O0nV9mQIOdeM7Y0HFj46QL
EVf4jR0OsJY=
=ZAwT
-----END PGP SIGNATURE-----
    

- 漏洞信息

12533
MIT Kerberos 5 libkadm5srv Password History Handling Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2004-12-20 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MIT Kerberos 5 Administration Library Add_To_History Heap-Based Buffer Overflow Vulnerability
Boundary Condition Error 12059
No Yes
2004-12-20 12:00:00 2009-07-12 09:26:00
Discovery of this vulnerability is credited Michael Tautschnig.

- 受影响的程序版本

Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun SEAM 1.0.2
+ Sun Solaris 9_x86
+ Sun Solaris 9
Sun SEAM 1.0.1
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
SGI ProPack 3.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
MIT Kerberos 5 5.0 -1.3.3
MIT Kerberos 5 5.0 -1.2beta2
MIT Kerberos 5 5.0 -1.2beta1
MIT Kerberos 5 5.0 -1.1.1
MIT Kerberos 5 5.0 -1.1
MIT Kerberos 5 5.0 -1.0.x
MIT Kerberos 5 1.3.5
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
MIT Kerberos 5 1.3.4
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Turbolinux Turbolinux Server 10.0
MIT Kerberos 5 1.3.3
MIT Kerberos 5 1.3.2
MIT Kerberos 5 1.3.1
MIT Kerberos 5 1.3 -alpha1
MIT Kerberos 5 1.3
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
MIT Kerberos 5 1.2.8
MIT Kerberos 5 1.2.7
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ RedHat Linux 9.0 i386
MIT Kerberos 5 1.2.6
MIT Kerberos 5 1.2.5
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Wirex Immunix OS 7+
MIT Kerberos 5 1.2.4
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
MIT Kerberos 5 1.2.3
+ Conectiva Linux 8.0
MIT Kerberos 5 1.2.2 -beta1
MIT Kerberos 5 1.2.2
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
MIT Kerberos 5 1.2.1
MIT Kerberos 5 1.2
MIT Kerberos 5 1.1.1
+ Red Hat Linux 6.2
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.1
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
MIT Kerberos 5 1.1
MIT Kerberos 5 1.0.8
+ OpenBSD OpenBSD 3.2
+ OpenBSD OpenBSD 3.1
MIT Kerberos 5 1.0.6
MIT Kerberos 5 1.0
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.3.9
MIT Kerberos 5 1.3.6
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
+ Red Hat Fedora Core1
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1

- 不受影响的程序版本

MIT Kerberos 5 1.3.6
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
+ Red Hat Fedora Core1
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1

- 漏洞讨论

It is reported that the MIT Kerberos 5 administration library is affected by a heap-based buffer overflow vulnerability. The vulnerability presents itself in the 'add_to_history()' function of the 'svr_principal.c' source file. The vulnerability exists due to an indexing error that occurs under certain circumstances.

An authenticated attacker may potentially exploit this vulnerability on a Key Distribution Center (KDC) to execute arbitrary code in the context of the vulnerable service, ultimately resulting in the compromise of an entire Kerberos realm.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

MIT has released version 1.3.6 of their Kerberos 5 packages resolving this issue. Please see the referenced MIT release announcement for more information.

Turbolinux has made an advisory available (TLSA-2005-34) dealing with this issue. Please see the referenced advisory for more information.

SGI has released advisory 20050104-01-U (SGI Advanced Linux Environment 3 Security Update #24) to address various issues in SGI Advanced Linux Environment 3. This advisory includes updated SGI ProPack 3 Service Pack 3 packages and patch 10139. Please see the referenced advisory for more information.

Red Hat has released advisories FEDORA-2004-563 and FEDORA-2004-564 to address this issue in Fedora Core 2 and 3. Please see the referenced advisory for more information.

Trustix linux has made an advisory available (TSLSA-2004-0069) dealing with this issue. Trustix advises that all computers be upgraded to the latest version of the affected software using swup, the automated software updater. To auto-update the affected packages users are advised to issue the command 'swup --upgrade'. Please see the referenced advisory for more information.

Mandrake Linux has released and advisory (MDKSA-2004:156) along with fixes dealing with this issue. Please see the referenced advisory for more information.

Sun has released alert 57712 along with an upgrade dealing with this issue. Please see the referenced web advisory for more information.

Gentoo has released advisory GLSA 200501-05 to address this issue. Gentoo users may carry out the following commands to update their systems:
emerge --sync
emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.3.6"
Please see the referenced Gentoo advisory for more information.

Debian has released advisory DSA 629-1 to address this issue. Please see the referenced advisory for further information.

Ubuntu has released advisory USN-58-1 to address this issue. Please see the referenced advisory for more information.

Conectiva has released an advisory (CLSA-2005:917) to address this issue. Please see the advisory in references for more information.

Sun has updated advisory 57712 with fixes for Solaris 9 and SEAM for Solaris 8.

Fedora Legacy has released security advisory FLSA:154276 addressing this issue for RedHat Linux 7.3 and 9, and for Fedora Core 1. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Apple has release security advisory APPLE-SA-2005-08-15 addressing this and several other vulnerabilities. Please see the referenced advisory for further information.


Sun Solaris 9

Sun Solaris 9_x86

MIT Kerberos 5 1.0

Sun SEAM 1.0.1

MIT Kerberos 5 1.0.6

MIT Kerberos 5 1.0.8

MIT Kerberos 5 1.1

MIT Kerberos 5 1.1.1

MIT Kerberos 5 1.2

MIT Kerberos 5 1.2.1

MIT Kerberos 5 1.2.2

MIT Kerberos 5 1.2.3

MIT Kerberos 5 1.2.4

MIT Kerberos 5 1.2.5

MIT Kerberos 5 1.2.6

MIT Kerberos 5 1.2.7

MIT Kerberos 5 1.2.8

MIT Kerberos 5 1.3

MIT Kerberos 5 1.3.1

MIT Kerberos 5 1.3.2

MIT Kerberos 5 1.3.3

MIT Kerberos 5 1.3.4

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站