Multiple Vendor Kerberos 4 Temporary File Race Condition Vulnerability
BID:2093
Info
Multiple Vendor Kerberos 4 Temporary File Race Condition Vulnerability
| Bugtraq ID: | 2093 |
| Class: | Race Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Dec 08 2000 12:00AM |
| Updated: | Dec 08 2000 12:00AM |
| Credit: | First posted to Bugtraq by Jouko Pynnonen <[email protected]> on Dec 8, 2000. MIT released an advisory notifying of the problem in MIT Kerberos on March 7th, 2001. |
| Vulnerable: |
MIT Kerberos 5 5.0 -1.2beta2 MIT Kerberos 5 5.0 -1.2beta1 MIT Kerberos 5 5.0 -1.1.1 MIT Kerberos 5 5.0 -1.1 MIT Kerberos 5 5.0 -1.0.x MIT Kerberos 5 1.2.1 MIT Kerberos 4 4.0 patch 10 MIT Kerberos 4 4.0 KTH Kerberos 4 1.0.3 -1.0 KTH Kerberos 4 1.0.3 -1 KTH Kerberos 4 1.0.3 KTH Kerberos 4 1.0.2 KTH Kerberos 4 1.0.1 -1 KTH Kerberos 4 1.0.1 KTH Kerberos 4 1.0 -1.0.1 KTH Kerberos 4 1.0 KTH Kerberos 4 0.10.1 KTH Kerberos 4 0.10 KTH Kerberos 4 0.9.9 KTH Kerberos 4 0.9.8 KTH Kerberos 4 0.9.7 KTH Kerberos 4 0.9.6 +patches KTH Kerberos 4 0.9.6 KTH Kerberos 4 0.9.5 KTH Kerberos 4 0.9.3 KTH Kerberos 4 0.9.2 a KTH Kerberos 4 0.9.2 KTH Kerberos 4 0.9.1 KTH Kerberos 4 0.9 KTH Kerberos 4 0.8 KTH Kerberos 4 0.7 KTH Kerberos 4 0.6 KTH Kerberos 4 0.5 KTH Kerberos 4 0.1 KTH Kerberos 4 0.0 Cygnus KerbNet 5.0 .x Cygnus Cygnus Network Security 4.0 .x |
| Not Vulnerable: |
MIT Kerberos 5 1.2.2 -beta1 KTH Kerberos 4 1.0.4 |
Discussion
Multiple Vendor Kerberos 4 Temporary File Race Condition Vulnerability
Kerberos is a widely used network service authentication system. Several implentations of Kerberos, including KTH Kerberos 4, MIT Kerberos 4, MIT Kerberos 5, Kerbnet (Cygnus Kerberos 5), and Cygnus Network Security (Cygnus Kerberos 4) contains a local /tmp race condition vulnerability that may result in a denial of service.
The Kerberos system, when creating tickets, uses temporary files in the /tmp directory. The names of these files are predictable and can be anticipated by attackers. If a symbolic link were to exist in /tmp with a correctly guessed filename when Kerberos is creating tickets, the symbolic link would be followed and whatever it pointed to would be written to. The target file pointed to by the symbolic link would be written to as root.
If a system-critical file were to be overwritten/corrupted, a denial of service may occur. Due to the fact that files are overwritten with normal Kerberos 4 ticket information, the possibility of exploitation to gain full root access is remote.
Kerberos is a widely used network service authentication system. Several implentations of Kerberos, including KTH Kerberos 4, MIT Kerberos 4, MIT Kerberos 5, Kerbnet (Cygnus Kerberos 5), and Cygnus Network Security (Cygnus Kerberos 4) contains a local /tmp race condition vulnerability that may result in a denial of service.
The Kerberos system, when creating tickets, uses temporary files in the /tmp directory. The names of these files are predictable and can be anticipated by attackers. If a symbolic link were to exist in /tmp with a correctly guessed filename when Kerberos is creating tickets, the symbolic link would be followed and whatever it pointed to would be written to. The target file pointed to by the symbolic link would be written to as root.
If a system-critical file were to be overwritten/corrupted, a denial of service may occur. Due to the fact that files are overwritten with normal Kerberos 4 ticket information, the possibility of exploitation to gain full root access is remote.
Exploit / POC
Multiple Vendor Kerberos 4 Temporary File Race Condition Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Multiple Vendor Kerberos 4 Temporary File Race Condition Vulnerability
Solution:
Upgrade to KTH Kerberos 4 version 1.0.4. NetBSD has released a patch for NetBSD 1.5.
MIT has released krb5-1.2.2 which incorporates a fix for this. A patch for the krb4 library is also available if upgrading to this version is not feasible.
KTH Kerberos 4 1.0
KTH Kerberos 4 1.0.3
MIT Kerberos 5 1.2.1
Solution:
Upgrade to KTH Kerberos 4 version 1.0.4. NetBSD has released a patch for NetBSD 1.5.
MIT has released krb5-1.2.2 which incorporates a fix for this. A patch for the krb4 library is also available if upgrading to this version is not feasible.
KTH Kerberos 4 1.0
-
FreeBSD 3.5.1 telnetd-krb.3.5.1.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.3. 5.1.patch -
FreeBSD 4.2 telnetd-krb.4.2.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:25/telnetd-krb.4. 2.patch
KTH Kerberos 4 1.0.3
-
KTH Kerberos 4 1.0.4
ftp://ftp.pdc.kth.se/pub/krb/src/krb4-1.0.4.tar.gz -
NetBSD 20001220-krb
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20001220-krb
MIT Kerberos 5 1.2.1
-
MIT krb4tkt_121_patch
Recompile or relink your login daemons after applying this patch.
http://web.mit.edu/kerberos/www/advisories/krb4tkt_121_patch.txt
References
Multiple Vendor Kerberos 4 Temporary File Race Condition Vulnerability
References:
References:
- Kerberos Homepage (MIT)
- KTH Kerberos Homepage (Swedish Royal Institute of Technology)