Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159755 - CAN-2005-1689 double-free in krb5_recvauth
Summary: CAN-2005-1689 double-free in krb5_recvauth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 3
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard: impact=critical,embargo=20050712,sour...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-07 20:07 UTC by Josh Bressers
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 1.3.6-7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-06-30 02:30:43 UTC


Attachments (Terms of Use)

Description Josh Bressers 2005-06-07 20:07:33 UTC
+++ This bug was initially created as a clone of Bug #159753 +++

Severity: CRITICAL

SUMMARY
=======

The krb5_recvauth() function can free previously freed memory under
some error conditions.  This vulnerability may allow an
unauthenticated remote attacker to execute arbitrary code.
Exploitation of this vulnerability on a Kerberos Key Distribution
Center (KDC) host can result in compromise of an entire Kerberos
realm.  No exploit code is known to exist at this time.  Exploitation
of double-free vulnerabilities is believed to be difficult.
[CAN-2005-1689]

IMPACT
======

An unauthenticated attacker may be able to execute arbitrary code in
the context of a program calling krb5_recvauth().  This includes the
kpropd program which typically runs on slave Key Distribution Center
(KDC) hosts, potentially leading to compromise of an entire Kerberos
realm.  Other vulnerable programs which call krb5_recvauth() are
usually remote login programs running with root privileges.
Unsuccessful attempts at exploitation may result in denial of service
by crashing the target program.

AFFECTED SOFTWARE
=================

* The kpropd daemon in all releases of MIT krb5, up to and including
   krb5-1.4.1, is vulnerable.

* The klogind and krshd remote-login daemons in all releases of MIT
   krb5, up to and including krb5-1.4.1, is vulnerable.

* Third-party application programs which call krb5-recvauth() are also
   vulnerable.

FIXES
=====

* Apply the following patch.  This patch was generated against the
   krb5-1.4.1 release.  It may apply, with some offset, to earlier
   releases.

   The patch may also be found at:

   http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt

   The associated detached PGP signature is at:

   http://web.mit.edu/kerberos/advisories/2005-003-patch_1.4.1.txt.asc

Index: lib/krb5/krb/recvauth.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/recvauth.c,v
retrieving revision 5.38
diff -c -r5.38 recvauth.c
*** lib/krb5/krb/recvauth.c     3 Sep 2002 01:13:47 -0000       5.38
--- lib/krb5/krb/recvauth.c     23 May 2005 23:19:15 -0000
***************
*** 76,82 ****
            if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
            if (strcmp(inbuf.data, sendauth_version)) {
-               krb5_xfree(inbuf.data);
                problem = KRB5_SENDAUTH_BADAUTHVERS;
            }
            krb5_xfree(inbuf.data);
--- 76,81 ----
***************
*** 90,96 ****
        if ((retval = krb5_read_message(context, fd, &inbuf)))
                return(retval);
        if (appl_version && strcmp(inbuf.data, appl_version)) {
-               krb5_xfree(inbuf.data);
                if (!problem)
                        problem = KRB5_SENDAUTH_BADAPPLVERS;
        }
--- 89,94 ----

Comment 1 Josh Bressers 2005-06-07 20:10:07 UTC
The embargo on this issue will be lifted after FC4 comes out, we shall want to
fix it there as well.

Comment 2 Mark J. Cox 2005-06-07 20:15:53 UTC
Note that on RHEL4 and FC3 and FC4 a double free will be caught by glibc and
cause a crash.  Whilst this allows a remote DoS it won't allow arbitrary code. 
Therefore Important on those distributions with these checks, Critial elsewhere.

Comment 3 Mark J. Cox 2005-07-12 18:02:35 UTC
public at http://web.mit.edu/kerberos/www/advisories/, removing embargo

Comment 4 Matthew Miller 2006-06-30 02:30:43 UTC
This was fixed in 1.3.6-7 and an update released. It just was never marked as
closed.


Note You need to log in before you can comment on or make changes to this bug.