CVE-2005-1689
CVSS7.5
发布时间 :2005-07-18 00:00:00
修订时间 :2016-10-17 23:21:46
NMCOPS    

[原文]Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.


[CNNVD]MIT krb krb5_recvauth() 代码执行漏洞(CNNVD-200507-187)

        Kerberos是一款广泛使用的使用强壮的加密来验证客户端和服务器端的网络协议。
        MIT Kerberos 5 (krb5) 1.4.1及之前版本中的krb5_recvauth函数存在代码执行漏洞。
        由于krb5_recvauth()函数在某些错误情况下可以释放之前已释放的内存,这可能允许未经认证的远程攻击者执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:mit:kerberos:5-1.3MIT Kerberos 5 1.3
cpe:/a:mit:kerberos:5-1.3.2MIT Kerberos 5 1.3.2
cpe:/a:mit:kerberos:5-1.4.1MIT Kerberos 5 1.4.1
cpe:/a:mit:kerberos:5-1.3.3MIT Kerberos 5 1.3.3
cpe:/a:mit:kerberos:5-1.3.1MIT Kerberos 5 1.3.1
cpe:/a:mit:kerberos:5-1.3.6MIT Kerberos 5 1.3.6
cpe:/a:mit:kerberos:5-1.3.4MIT Kerberos 5 1.3.4
cpe:/a:mit:kerberos:5-1.3.5MIT Kerberos 5 1.3.5
cpe:/a:mit:kerberos:5-1.4MIT Kerberos 5 1.4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9819Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitr...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1689
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1689
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-187
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20050703-01-U.asc
(UNKNOWN)  SGI  20050703-01-U
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000993
(UNKNOWN)  CONECTIVA  CLA-2005:993
http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-17
http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-15
http://marc.info/?l=bugtraq&m=112119974704542&w=2
(UNKNOWN)  BUGTRAQ  20050712 MITKRB5-SA-2005-003: double-free in krb5_recvauth
http://securitytracker.com/id?1014461
(UNKNOWN)  SECTRACK  1014461
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101810-1
(UNKNOWN)  SUNALERT  101810
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt
(UNKNOWN)  CONFIRM  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt
http://www.debian.org/security/2005/dsa-757
(VENDOR_ADVISORY)  DEBIAN  DSA-757
http://www.gentoo.org/security/en/glsa/glsa-200507-11.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200507-11
http://www.kb.cert.org/vuls/id/623332
(VENDOR_ADVISORY)  CERT-VN  VU#623332
http://www.novell.com/linux/security/advisories/2005_17_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:017
http://www.redhat.com/support/errata/RHSA-2005-562.html
(UNKNOWN)  REDHAT  RHSA-2005:562
http://www.redhat.com/support/errata/RHSA-2005-567.html
(UNKNOWN)  REDHAT  RHSA-2005:567
http://www.securityfocus.com/archive/1/archive/1/446940/100/0/threaded
(UNKNOWN)  HP  SSRT5973
http://www.securityfocus.com/bid/14239
(UNKNOWN)  BID  14239
http://www.trustix.org/errata/2005/0036
(UNKNOWN)  TRUSTIX  2005-0036
http://www.turbolinux.com/security/2005/TLSA-2005-78.txt
(UNKNOWN)  TURBO  TLSA-2005-78
http://www.ubuntulinux.org/support/documentation/usn/usn-224-1
(UNKNOWN)  UBUNTU  USN-224-1
http://www.vupen.com/english/advisories/2005/1066
(UNKNOWN)  VUPEN  ADV-2005-1066
http://www.vupen.com/english/advisories/2006/3776
(UNKNOWN)  VUPEN  ADV-2006-3776
http://xforce.iss.net/xforce/xfdb/21055
(UNKNOWN)  XF  kerberos-kdc-krb5recvauth-execute-code(21055)

- 漏洞信息

MIT krb krb5_recvauth() 代码执行漏洞
高危 缓冲区溢出
2005-07-18 00:00:00 2009-03-25 00:00:00
远程  
        Kerberos是一款广泛使用的使用强壮的加密来验证客户端和服务器端的网络协议。
        MIT Kerberos 5 (krb5) 1.4.1及之前版本中的krb5_recvauth函数存在代码执行漏洞。
        由于krb5_recvauth()函数在某些错误情况下可以释放之前已释放的内存,这可能允许未经认证的远程攻击者执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://web.mit.edu/kerberos/dist/

- 漏洞信息 (F38629)

Gentoo Linux Security Advisory 200507-11 (PacketStormID:F38629)
2005-07-13 00:00:00
Gentoo  security.gentoo.org
advisory,overflow,tcp
linux,gentoo
CVE-2005-1174,CVE-2005-1175,CVE-2005-1689
[点击下载]

Gentoo Linux Security Advisory GLSA 200507-11 - Daniel Wachdorf discovered that MIT Kerberos 5 could corrupt the heap by freeing unallocated memory when receiving a special TCP request (CVE-2005-1174). He also discovered that the same request could lead to a single-byte heap overflow (CVE-2005-1175). Magnus Hagander discovered that krb5_recvauth() function of MIT Kerberos 5 might try to double-free memory (CVE-2005-1689). Versions less than 1.4.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200507-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: MIT Kerberos 5: Multiple vulnerabilities
      Date: July 12, 2005
      Bugs: #98799
        ID: 200507-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

MIT Kerberos 5 is vulnerable to a Denial of Service attack and remote
execution of arbitrary code, possibly leading to the compromise of the
entire Kerberos realm.

Background
==========

MIT Kerberos 5 is the free implementation of the Kerberos network
authentication protocol by the Massachusetts Institute of Technology.

Affected packages
=================

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  app-crypt/mit-krb5     < 1.4.1-r1                     >= 1.4.1-r1

Description
===========

Daniel Wachdorf discovered that MIT Kerberos 5 could corrupt the heap
by freeing unallocated memory when receiving a special TCP request
(CAN-2005-1174). He also discovered that the same request could lead to
a single-byte heap overflow (CAN-2005-1175). Magnus Hagander discovered
that krb5_recvauth() function of MIT Kerberos 5 might try to
double-free memory (CAN-2005-1689).

Impact
======

Although exploitation is considered difficult, a remote attacker could
exploit the single-byte heap overflow and the double-free vulnerability
to execute arbitrary code, which could lead to the compromise of the
whole Kerberos realm. A remote attacker could also use the heap
corruption to cause a Denial of Service.

Workaround
==========

There are no known workarounds at this time.

Resolution
==========

All MIT Kerberos 5 users should upgrade to the latest available
version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.4.1-r1"

References
==========

  [ 1 ] CAN-2005-1174
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174
  [ 2 ] CAN-2005-1175
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175
  [ 3 ] CAN-2005-1689
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689
  [ 4 ] MITKRB5-SA-2005-002
        http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt
  [ 5 ] MITKRB5-SA-2005-003
        http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200507-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息 (F38628)

MITKRB5-SA-2005-003.txt (PacketStormID:F38628)
2005-07-13 00:00:00
 
advisory,remote,arbitrary
CVE-2005-1689
[点击下载]

MIT krb5 Security Advisory 2005-003 - The krb5_recvauth() function can free previously freed memory under some error conditions. This vulnerability may allow an unauthenticated remote attacker to execute arbitrary code.

MIT krb5 Security Advisory 2005-003

Original release: 2005-07-12

Topic: double-free in krb5_recvauth

Severity: CRITICAL

SUMMARY
=======

The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689, VU#623332]

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.

AFFECTED SOFTWARE
=================

* The kpropd daemon in all releases of MIT krb5, up to and including
  krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
  krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also
  vulnerable.

FIXES
=====

* The upcoming krb5-1.4.2 release will have a fix for this
  vulnerability.

* Apply the following patch.  This patch was generated against the
  krb5-1.4.1 release.  It may apply, with some offset, to earlier
  releases.

  The patch may also be found at:

  http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt

  The associated detached PGP signature is at:

  http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc

Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c	3 Sep 2002 01:13:47 -0000	5.38
--- lib/krb5/krb/recvauth.c	23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
  	    if ((retval = krb5_read_message(context, fd, &inbuf)))
  		return(retval);
  	    if (strcmp(inbuf.data, sendauth_version)) {
- 		krb5_xfree(inbuf.data);
  		problem = KRB5_SENDAUTH_BADAUTHVERS;
  	    }
  	    krb5_xfree(inbuf.data);
--- 76,81 ----
***************
*** 90,96 ****
  	if ((retval = krb5_read_message(context, fd, &inbuf)))
  		return(retval);
  	if (appl_version && strcmp(inbuf.data, appl_version)) {
- 		krb5_xfree(inbuf.data);
  		if (!problem)
  			problem = KRB5_SENDAUTH_BADAPPLVERS;
  	}
--- 89,94 ----

REFERENCES
==========

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CAN-2005-1689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689

CERT: VU#623332
http://www.kb.cert.org/vuls/id/623332

ACKNOWLEDGMENTS
===============

Thanks to Magnus Hagander for reporting this vulnerability.

DETAILS
=======

The helper function revcauth_common() in lib/krb5/krb/recvauth.c has
two locations which call krb5_read_message(), followed by an
unconditional krb5_xfree() of the buffer allocated by
krb5_read_message().  In the cases where the sendauth version string
or the application version string do not match the expected value,
recvauth_common() performs a krb5_xfree() on the buffer allocated by
krb5_read_message() preceding the subsequent unconditional call to
krb5_xfree() on the same buffer.

Since the code paths which call krb5_xfree() twice do so with almost
no intervening code, exploitation of this vulnerability may be more
difficult than exploitation of other double-free vulnerabilities.  No
detailed analysis has been performed on the ease of exploitation.

REVISION HISTORY
================

2005-05-12      original release

Copyright (C) 2005 Massachusetts Institute of Technology
    

- 漏洞信息

17841
MIT Kerberos kpropd krb5_recvauth Double-free Command Execution
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2005-07-12 Unknow
Unknow Unknow

- 解决方案

Upgrade to version krb5-1.4.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MIT Kerberos 5 KRB5_Recvauth Remote Pre-Authentication Double-Free Vulnerability
Design Error 14239
Yes No
2005-07-12 12:00:00 2006-09-26 03:51:00
Discovery of this issue is credited to Magnus Hagander.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 10.0_x86
Sun Solaris 10
Sun SEAM 1.0
SGI ProPack 3.0 SP6
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
MIT Kerberos 5 5.0 -1.4.1
MIT Kerberos 5 5.0 -1.4
MIT Kerberos 5 5.0 -1.3.6
MIT Kerberos 5 5.0 -1.3.5
MIT Kerberos 5 5.0 -1.3.4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
MIT Kerberos 5 5.0 -1.3.3
MIT Kerberos 5 5.0 -1.2beta2
MIT Kerberos 5 5.0 -1.2beta1
MIT Kerberos 5 5.0 -1.1.1
MIT Kerberos 5 5.0 -1.1
MIT Kerberos 5 5.0 -1.0.x
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
HP HP-UX B.11.23
HP HP-UX B.11.11
HP HP-UX B.11.00
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Conectiva Linux 10.0
Conectiva Linux 9.0
Apple Mac OS X Server 10.4.2
Apple Mac OS X 10.4.2

- 漏洞讨论

MIT Kerberos 5 is prone to a remote double-free vulnerability. Remote attackers can trigger this issue prior to any authentication whatsoever. The issue exists in the 'revcauth_common()' helper function.

Because of the code path taken in the vulnerable function, exploitation may be hindered. However, attackers may presumably leverage this issue to execute arbitrary code in the context of the affected service.

Note that successful exploitation of this issue on a Kerberos Key Distribution Center (KDC) computer may result in the compromise of an entire Kerberos realm.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vendor has released patches to address this issue.

Please see the referenced advisories for more information.


Sun Solaris 8_sparc

Sun Solaris 10

Sun Solaris 10.0_x86

Sun Solaris 9

Sun Solaris 9_x86

Sun Solaris 8_x86

Apple Mac OS X 10.4.2

MIT Kerberos 5 5.0 -1.4.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站