KTH Kerberos 4 User-Supplied Configuration Files Vulnerability
BID:2092
Info
KTH Kerberos 4 User-Supplied Configuration Files Vulnerability
| Bugtraq ID: | 2092 |
| Class: | Unknown |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Dec 08 2000 12:00AM |
| Updated: | Dec 08 2000 12:00AM |
| Credit: | First posted to Bugtraq by Jouko Pynnonen <[email protected]> on Dec 8, 2000. |
| Vulnerable: |
KTH Kerberos 4 1.0.3 -1.0 KTH Kerberos 4 1.0.3 -1 KTH Kerberos 4 1.0.3 KTH Kerberos 4 1.0.2 KTH Kerberos 4 1.0.1 -1 KTH Kerberos 4 1.0.1 KTH Kerberos 4 1.0 -1.0.1 KTH Kerberos 4 1.0 KTH Kerberos 4 0.10.1 KTH Kerberos 4 0.10 KTH Kerberos 4 0.9.9 KTH Kerberos 4 0.9.8 KTH Kerberos 4 0.9.7 KTH Kerberos 4 0.9.6 +patches KTH Kerberos 4 0.9.6 KTH Kerberos 4 0.9.5 KTH Kerberos 4 0.9.3 KTH Kerberos 4 0.9.2 a KTH Kerberos 4 0.9.2 KTH Kerberos 4 0.9.1 KTH Kerberos 4 0.9 KTH Kerberos 4 0.8 KTH Kerberos 4 0.7 KTH Kerberos 4 0.6 KTH Kerberos 4 0.5 KTH Kerberos 4 0.1 KTH Kerberos 4 0.0 |
| Not Vulnerable: |
KTH Kerberos 4 1.0.4 |
Discussion
KTH Kerberos 4 User-Supplied Configuration Files Vulnerability
Kerberos is a widely used network service authentication system. The version of Kerberos developed and maintained by KTH (Swedish Royal Institute of Technology) contains a vulnerability in its use of a user-supplied environment variable that may allow a malicious user with local access to elevate privileges.
The environment variable, KRBCONFDIR, is used by Kerberos-enabled services to specify the directory in which KTH Kerberos 4 configuration files are located. For security reasons, this variable is not used when the authenticating process is setuid (the effective privileges do not match the real privileges) because the value is assumed to be user-definable. This is to prevent users from supplying malicious Kerberos config files.
Unfortunately the method of checking the effective uid against the real uid is flawed in the case of telnet. When telnetting to a host, login is spawned with effective and real uid 0 privileges, making any such security check successful by default. It is also possible to import environment variables to telnet servers (and eventually, to login), such as KRBCONFDIR, via the telnet protocol.
Consequently, if a user has local access to the target host (or a way to upload files to a known location on the target host), the login program (spawned by a telnet server) can be tricked into using malicious KTH Kerberos 4 configuration files.
An arbitrary Kerberos server can be specified in these configuration files. With login using a malicious Kerberos server under an attackers control, the attacker can succesfully authenticate when logging in as any user (except root in configuration dependent situations where remote root logins are not permitted by default). This can lead to a compromise of root access or privileges that may lead to root access on the target host.
It should be noted that Kerberos services perform extra check to ensure they are communicating with the correct Kerberos server using a secret key. Unfortunately, this key is stored in the directory defined by KRBCONFDIR and can also be attacker-supplied.
Kerberos is a widely used network service authentication system. The version of Kerberos developed and maintained by KTH (Swedish Royal Institute of Technology) contains a vulnerability in its use of a user-supplied environment variable that may allow a malicious user with local access to elevate privileges.
The environment variable, KRBCONFDIR, is used by Kerberos-enabled services to specify the directory in which KTH Kerberos 4 configuration files are located. For security reasons, this variable is not used when the authenticating process is setuid (the effective privileges do not match the real privileges) because the value is assumed to be user-definable. This is to prevent users from supplying malicious Kerberos config files.
Unfortunately the method of checking the effective uid against the real uid is flawed in the case of telnet. When telnetting to a host, login is spawned with effective and real uid 0 privileges, making any such security check successful by default. It is also possible to import environment variables to telnet servers (and eventually, to login), such as KRBCONFDIR, via the telnet protocol.
Consequently, if a user has local access to the target host (or a way to upload files to a known location on the target host), the login program (spawned by a telnet server) can be tricked into using malicious KTH Kerberos 4 configuration files.
An arbitrary Kerberos server can be specified in these configuration files. With login using a malicious Kerberos server under an attackers control, the attacker can succesfully authenticate when logging in as any user (except root in configuration dependent situations where remote root logins are not permitted by default). This can lead to a compromise of root access or privileges that may lead to root access on the target host.
It should be noted that Kerberos services perform extra check to ensure they are communicating with the correct Kerberos server using a secret key. Unfortunately, this key is stored in the directory defined by KRBCONFDIR and can also be attacker-supplied.
Exploit / POC
KTH Kerberos 4 User-Supplied Configuration Files Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
KTH Kerberos 4 User-Supplied Configuration Files Vulnerability
Solution:
Upgrade to KTH Kerberos 4 version 1.0.4. NetBSD has released a patch for NetBSD 1.5.
KTH Kerberos 4 1.0
KTH Kerberos 4 1.0.3
Solution:
Upgrade to KTH Kerberos 4 version 1.0.4. NetBSD has released a patch for NetBSD 1.5.
KTH Kerberos 4 1.0
-
FreeBSD 3.5.1 telnetd-krb.3.5.1.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3. 5.1.patch -
FreeBSD 4.2 telnetd-krb.4.2.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4. 2.patch
KTH Kerberos 4 1.0.3
-
KTH Kerberos 4 1.0.4
ftp://ftp.pdc.kth.se/pub/krb/src/krb4-1.0.4.tar.gz -
NetBSD 20001220-krb
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20001220-krb
References
KTH Kerberos 4 User-Supplied Configuration Files Vulnerability
References:
References:
- KTH Kerberos Homepage (Swedish Royal Institute of Technology)