Multiple vulnerabilities have been identified in MIT Kerberos, which could be exploited by attackers or malicious users to take complete control of an affected system.
The first issue is due to an input validation error in the krb5 telnet daemon that fails to properly check supplied usernames, which could be exploited by remote attackers to bypass security restrictions and gain unauthorized access to a vulnerable system without authentication. This issue is similar to FrSIRT/ADV-2007-0560
The second vulnerability is due to a stack overflow error in the "krb5_klog_syslog()" function when processing strings received from a client, which could be exploited by authenticated attackers to crash a vulnerable application or execute arbitrary commands.
The third issue is due to an error in the "kg_unseal_v1()" [lib/gssapi/krb5/k5unseal.c] function that frees memory allocated for the "message_buffer" gss_buffer_t when detecting an invalid direction encoding on the message, which could be exploited by an authenticated attacker to execute arbitrary commands. Third-party applications calling the RPC library provided with MIT krb5 and using the RPCSEC_GSS authentication flavor are affected by this vulnerability. Third-party applications calling the MIT GSS-API library are vulnerable if they call "gss_release_buffer()" when experiencing errors from "gss_unseal()" or "gss_unwrap()".
Credits
Vulnerabilities reported by the vendor and iDefense Labs.
ChangeLog
2007-04-03 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
