CVE-2005-1174
CVSS5.0
发布时间 :2005-07-18 00:00:00
修订时间 :2016-10-17 23:17:53
NMCOPS    

[原文]MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.


[CNNVD]MIT krb KDC 拒绝服务漏洞(CNNVD-200507-185)

        Kerberos是一款广泛使用的使用强壮的加密来验证客户端和服务器端的网络协议。
        MIT Kerberos 5 (krb5) 1.3至1.4.1中的KDC存在拒绝服务漏洞。
        远程攻击者可通过某种TCP连接导致释放未分配的内存,导致应用程序崩溃,引发拒绝服务。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:mit:kerberos:5-1.3MIT Kerberos 5 1.3
cpe:/a:mit:kerberos:5-1.3.2MIT Kerberos 5 1.3.2
cpe:/a:mit:kerberos:5-1.4.1MIT Kerberos 5 1.4.1
cpe:/a:mit:kerberos:5-1.3.3MIT Kerberos 5 1.3.3
cpe:/a:mit:kerberos:5-1.3.1MIT Kerberos 5 1.3.1
cpe:/a:mit:kerberos:5-1.3.6MIT Kerberos 5 1.3.6
cpe:/a:mit:kerberos:5-1.3.4MIT Kerberos 5 1.3.4
cpe:/a:mit:kerberos:5-1.3.5MIT Kerberos 5 1.3.5
cpe:/a:mit:kerberos:5-1.4MIT Kerberos 5 1.4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:397MIT Kerberos 5 Key Distribution Center Remote Denial of Service Vulnerability
oval:org.mitre.oval:def:10229MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application cras...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1174
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1174
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-185
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20050703-01-U.asc
(UNKNOWN)  SGI  20050703-01-U
http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-17
http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-15
http://marc.info/?l=bugtraq&m=112122123211974&w=2
(UNKNOWN)  BUGTRAQ  20050712 MITKRB5-SA-2005-002: buffer overflow, heap corruption in KDC
http://securitytracker.com/id?1014460
(UNKNOWN)  SECTRACK  1014460
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101809-1
(UNKNOWN)  SUNALERT  101809
http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt
(PATCH)  CONFIRM  http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt
http://www-1.ibm.com/support/docview.wss?uid=swg1IY85474
(UNKNOWN)  AIXAPAR  IY85474
http://www.debian.org/security/2005/dsa-757
(UNKNOWN)  DEBIAN  DSA-757
http://www.kb.cert.org/vuls/id/259798
(VENDOR_ADVISORY)  CERT-VN  VU#259798
http://www.novell.com/linux/security/advisories/2005_17_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:017
http://www.redhat.com/support/errata/RHSA-2005-567.html
(UNKNOWN)  REDHAT  RHSA-2005:567
http://www.securityfocus.com/bid/14240
(UNKNOWN)  BID  14240
http://www.trustix.org/errata/2005/0036
(UNKNOWN)  TRUSTIX  2005-0036
http://www.turbolinux.com/security/2005/TLSA-2005-78.txt
(UNKNOWN)  TURBO  TLSA-2005-78
http://www.ubuntulinux.org/support/documentation/usn/usn-224-1
(UNKNOWN)  UBUNTU  USN-224-1
http://www.vupen.com/english/advisories/2005/1066
(UNKNOWN)  VUPEN  ADV-2005-1066
http://www.vupen.com/english/advisories/2006/2074
(UNKNOWN)  VUPEN  ADV-2006-2074
http://xforce.iss.net/xforce/xfdb/21327
(UNKNOWN)  XF  kerberos-kdc-krb5-tcp-connection-dos(21327)

- 漏洞信息

MIT krb KDC 拒绝服务漏洞
中危 资料不足
2005-07-18 00:00:00 2005-10-20 00:00:00
远程※本地  
        Kerberos是一款广泛使用的使用强壮的加密来验证客户端和服务器端的网络协议。
        MIT Kerberos 5 (krb5) 1.3至1.4.1中的KDC存在拒绝服务漏洞。
        远程攻击者可通过某种TCP连接导致释放未分配的内存,导致应用程序崩溃,引发拒绝服务。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://web.mit.edu/kerberos/dist/

- 漏洞信息 (F38629)

Gentoo Linux Security Advisory 200507-11 (PacketStormID:F38629)
2005-07-13 00:00:00
Gentoo  security.gentoo.org
advisory,overflow,tcp
linux,gentoo
CVE-2005-1174,CVE-2005-1175,CVE-2005-1689
[点击下载]

Gentoo Linux Security Advisory GLSA 200507-11 - Daniel Wachdorf discovered that MIT Kerberos 5 could corrupt the heap by freeing unallocated memory when receiving a special TCP request (CVE-2005-1174). He also discovered that the same request could lead to a single-byte heap overflow (CVE-2005-1175). Magnus Hagander discovered that krb5_recvauth() function of MIT Kerberos 5 might try to double-free memory (CVE-2005-1689). Versions less than 1.4.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200507-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: MIT Kerberos 5: Multiple vulnerabilities
      Date: July 12, 2005
      Bugs: #98799
        ID: 200507-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

MIT Kerberos 5 is vulnerable to a Denial of Service attack and remote
execution of arbitrary code, possibly leading to the compromise of the
entire Kerberos realm.

Background
==========

MIT Kerberos 5 is the free implementation of the Kerberos network
authentication protocol by the Massachusetts Institute of Technology.

Affected packages
=================

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  app-crypt/mit-krb5     < 1.4.1-r1                     >= 1.4.1-r1

Description
===========

Daniel Wachdorf discovered that MIT Kerberos 5 could corrupt the heap
by freeing unallocated memory when receiving a special TCP request
(CAN-2005-1174). He also discovered that the same request could lead to
a single-byte heap overflow (CAN-2005-1175). Magnus Hagander discovered
that krb5_recvauth() function of MIT Kerberos 5 might try to
double-free memory (CAN-2005-1689).

Impact
======

Although exploitation is considered difficult, a remote attacker could
exploit the single-byte heap overflow and the double-free vulnerability
to execute arbitrary code, which could lead to the compromise of the
whole Kerberos realm. A remote attacker could also use the heap
corruption to cause a Denial of Service.

Workaround
==========

There are no known workarounds at this time.

Resolution
==========

All MIT Kerberos 5 users should upgrade to the latest available
version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.4.1-r1"

References
==========

  [ 1 ] CAN-2005-1174
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174
  [ 2 ] CAN-2005-1175
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175
  [ 3 ] CAN-2005-1689
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689
  [ 4 ] MITKRB5-SA-2005-002
        http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt
  [ 5 ] MITKRB5-SA-2005-003
        http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200507-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息 (F38627)

MITKRB5-SA-2005-002.txt (PacketStormID:F38627)
2005-07-13 00:00:00
 
advisory,overflow
CVE-2005-1174,CVE-2005-1175
[点击下载]

MIT krb5 Security Advisory 2005-002 - KDC is susceptible to a buffer overflow and to heap corruption.

-----BEGIN PGP SIGNED MESSAGE-----

                 MIT krb5 Security Advisory 2005-002

Original release: 2005-07-12

Topic: buffer overflow, heap corruption in KDC

Severity: CRITICAL

SUMMARY
=======

The MIT krb5 Key Distribution Center (KDC) implementation can corrupt
the heap by attempting to free memory at a random address when it
receives a certain unlikely (but valid) request via a TCP connection.
This attempt to free unallocated memory can result in a KDC crash and
consequent denial of service.  [CAN-2005-1174, VU#259798]

Additionally, the same request, when received by the KDC via either
TCP or UDP, can trigger a bug in the krb5 library which results in a
single-byte overflow of a heap buffer.  Application servers are
vulnerable to a highly improbable attack, provided that the attacker
controls a realm sharing a cross-realm key with the target
realm. [CAN-2005-1175, VU#885830]

An unauthenticated attacker may be able to use these vulnerabilities
to execute arbitrary code on the KDC host, potentially compromising an
entire Kerberos realm.  No exploit code is known to exist at this
time.  Exploitation of these vulnerabilities is believed to be
difficult.

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code on
the KDC host, potentially compromising an entire Kerberos realm.  An
unsuccessful attack against the heap corruption vulnerability may
result in a denial of service by crashing the KDC process.

AFFECTED SOFTWARE
=================

* [CAN-2005-1174] affects the KDC implementation in all MIT krb5
  releases supporting TCP client connections to the KDC.  This
  includes krb5-1.3 and later releases, up to and including
  krb5-1.4.1.

* [CAN-2005-1175] affects KDC implementations and application servers
  in all MIT krb5 releases, up to and including krb5-1.4.1.
  Third-party application servers which use MIT krb5 are also
  affected.

FIXES
=====

* The upcoming krb5-1.4.2 release will have fixes for these
  vulnerabilities.

* WORKAROUNDS: Disabling TCP support in the KDC avoids one
  vulnerability [CAN-2005-1174].  The single-byte overflow
  [CAN-2005-1175] is still possible even without KDC TCP support
  enabled.  Running the KDC from init or from some similar automatic
  respawning facility may reduce the durations of denials of service,
  but this approach may make it difficult to detect deliberate attacks
  targeted at code execution.

* Apply the patch at:

  http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt.asc

  The patch was generated against the krb5-1.4.1 release.  It may
  apply, with some offset, to earlier releases.  On releases prior to
  krb5-1.3, only the patch to lib/krb5/krb/unparse.c should be
  necessary.

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CAN-2005-1174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174

CERT: VU#259798
http://www.kb.cert.org/vuls/id/259798

CVE: CAN-2005-1175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175

CERT: VU#885830
http://www.kb.cert.org/vuls/id/885830

ACKNOWLEDGMENTS
===============

Thanks to Daniel Wachdorf for reporting these vulnerabilities.

DETAILS
=======

Kerberos 5 principal names may have an arbitrary number of components.
The krb5_unparse_name() function in the MIT krb5 library converts an
internal representation of a Kerberos principal name into a
human-readable string.  The internal representation might have
originated from the decoding of a Kerberos protocol message.

The single-byte overflow occurs whenever the krb5_unparse_name()
function is called on a principal name having zero components.  The
function writes a null byte to an address one beyond the end of a
buffer allocated my malloc().  The corresponding krb5_parse_name()
function never generates an internal representation having zero
components; instead, it generates at least one zero-length component.
The current string representation form of Kerberos principal names has
some ambiguity between a zero-component principal name and a
one-component principal name having a zero-length single component.

Application servers which call krb5_unparse_name(), directly or
indirectly, are vulnerable to the single-byte overflow in
krb5_unparse_name(), provided that the attacker controls a realm which
shares a cross-realm key with the target realm.  This enables the
attacker to use a cross-realm ticket for a zero-component client
principal name, which the application server will then pass to
krb5_unparse_name(), triggering the single-byte overflow.

For this attack to succeed, the attacker needs access to a KDC in the
target realm which will create a ticket for a zero-component client
principal name.  Since the current MIT krb5 KDC implementation will
refuse to create such a ticket, the attack is unlikely to succeed
unless the implementation has been altered to allow the issuance of
tickets for zero-component client principal names.

When the KDC fails to find the principal with a zero-component name in
its database (such a principal is very unlikely to exist in most
databases, as there are extremely few uses for such a principal), it
attempts to encode an error packet containing the offending principal
name, using prepare_error_as() or prepare_error_tgs().  This encoding
attempt fails inside encode_krb5_error(), since the ASN.1 encoder
function asn1_encode_principal_name() interprets the internal
representation of a zero-component principal name as an error
condition.

encode_krb5_error() does not allocate an output buffer when it
encounters an error condition.  While the UDP request handling code in
kdc/network.c:process_packet() does not attempt to free the output
buffer containing the encoded message when it encounters an error, the
TCP request handling code in process does free the buffer inside
kill_tcp_connection(), which attempts to free unallocated memory
pointed to by an uninitialized pointer.

REVISION HISTORY
================

2005-05-12      original release

Copyright (C) 2005 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (SunOS)

iQCVAwUBQtMbCabDgE/zdoE9AQFo9QP5AZMbr0YGmyzYbARTqFq+Lt+FYbfQ7XC/
c1hqTfsTkN0Mfh1I5d6dTjhXQT6kfN+EdNYfPhY+4LANB5CW9xe9BARPcW9i2ftt
xSTIODrD6LdNtOCCut1ha3T5tcV5GodvXzj7dSClde29j0IJR6dBcigfvR4mAygw
/U7r46obgM0=
=SnqK
-----END PGP SIGNATURE-----
    

- 漏洞信息

17842
MIT Kerberos 5 Key Distribution Center (KDC) Unallocated Memory Free DoS
Denial of Service
Loss of Availability

- 漏洞描述

- 时间线

2005-07-12 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MIT Kerberos 5 Key Distribution Center Remote Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 14240
Yes No
2005-07-12 12:00:00 2006-06-02 05:22:00
Discovery is credited to Daniel Wachdorf.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 10.0_x86
Sun Solaris 10
Sun SEAM 1.0.2
+ Sun Solaris 9_x86
+ Sun Solaris 9
Sun SEAM 1.0.1
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
Sun SEAM 1.0
SGI ProPack 3.0 SP6
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
Red Hat Fedora Core4
Red Hat Fedora Core3
MIT Kerberos 5 5.0 -1.4.1
MIT Kerberos 5 5.0 -1.4
MIT Kerberos 5 5.0 -1.3.6
MIT Kerberos 5 5.0 -1.3.5
MIT Kerberos 5 5.0 -1.3.4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
MIT Kerberos 5 5.0 -1.3.3
MIT Kerberos 5 5.0 -1.2beta2
MIT Kerberos 5 5.0 -1.2beta1
MIT Kerberos 5 5.0 -1.1.1
MIT Kerberos 5 5.0 -1.1
MIT Kerberos 5 5.0 -1.0.x
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
IBM DCE 3.2 for AIX
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Conectiva Linux 10.0
Conectiva Linux 9.0
Apple Mac OS X Server 10.4.2
Apple Mac OS X 10.4.2

- 漏洞讨论

The Kerberos 5 Key Distribution Center (KDC) implementation of Kerberos is affected by a remote denial-of-service vulnerability. This issue arises because the application tries to free uninitialized memory at a random address when handling a remote request over TCP.

Specifically, the vulnerability arises when the application handles a principle name consisting of zero components.

All MIT Kerberos 5 releases up to and including krb5-1.4.1 are vulnerable. Third-party application servers employing Kerberos 5 may be affected as well.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vendor has released an advisory (MITKRB5-SA-2005-002) along with a patch for Kerberos 5.0-1.4.1 to resolve this and other issues. This patch may be applied to prior releases as well.

Please see the referenced advisories for further information.


Sun Solaris 8_sparc

Sun Solaris 10

Sun Solaris 10.0_x86

Sun Solaris 9

Sun Solaris 9_x86

Sun Solaris 8_x86

Apple Mac OS X 10.4.2

MIT Kerberos 5 5.0 -1.4.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站