Kerberos KDC Spoofing Vulnerability
BID:1616
Info
Kerberos KDC Spoofing Vulnerability
| Bugtraq ID: | 1616 |
| Class: | Configuration Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 28 2000 12:00AM |
| Updated: | Aug 28 2000 12:00AM |
| Credit: | This vulnerability was first reported in a message to Bugtraq on Monday August 28, 2000 by Dug Song <[email protected]>. |
| Vulnerable: |
MIT Kerberos 5 5.0 -1.2beta2 MIT Kerberos 5 5.0 -1.2beta1 MIT Kerberos 5 5.0 -1.1.1 MIT Kerberos 4 4.0 patch 10 |
| Not Vulnerable: | |
Discussion
Kerberos KDC Spoofing Vulnerability
Kerberos is a cryptographic authentication protocol that allows users of a network to access services without transmitting cleartext passwords. A common implementation of the protocol includes a login service which is vulnerable to an attack which involves spoofing responses from the Key Distribution Center (KDC). The login service authenticates a user by first requesting a ticket granting ticket (TGT) from the authentication server. If the TGT can be decrypted using the password supplied by the user, the login service attempts to verify the identity of the KDC by making a request with the received TGT for a service ticket for itself. The service ticket returned by the KDC is encrypted with a secret shared between the KDC and the service host. If the service ticket cannot be verified with the service's secret key it is assumed that the KDC is not authentic. If the login service has not been registered as a principal with the KDC or the service's secret key has not been installed on the host the login service will proceed without verification that the TGT was returned by the authentic KDC. In these circumstances it is possible to log into the server illicitly if an attacker can spoof responses from the Key Distribution Center.
Kerberos is a cryptographic authentication protocol that allows users of a network to access services without transmitting cleartext passwords. A common implementation of the protocol includes a login service which is vulnerable to an attack which involves spoofing responses from the Key Distribution Center (KDC). The login service authenticates a user by first requesting a ticket granting ticket (TGT) from the authentication server. If the TGT can be decrypted using the password supplied by the user, the login service attempts to verify the identity of the KDC by making a request with the received TGT for a service ticket for itself. The service ticket returned by the KDC is encrypted with a secret shared between the KDC and the service host. If the service ticket cannot be verified with the service's secret key it is assumed that the KDC is not authentic. If the login service has not been registered as a principal with the KDC or the service's secret key has not been installed on the host the login service will proceed without verification that the TGT was returned by the authentic KDC. In these circumstances it is possible to log into the server illicitly if an attacker can spoof responses from the Key Distribution Center.
Exploit / POC
Kerberos KDC Spoofing Vulnerability
Exploit available:
Exploit available:
Solution / Fix
Kerberos KDC Spoofing Vulnerability
Solution:
Ensure that keytab files are properly installed on Kerberos enabled servers and that principals for their services are registered.
Solution:
Ensure that keytab files are properly installed on Kerberos enabled servers and that principals for their services are registered.