SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  Kerberos Vendors:  MIT
(Apple Issues Fix for OS X) Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012397
SecurityTracker URL:  http://securitytracker.com/id?1012397
CVE Reference:  CAN-2004-0642   (Links to External Site)
Date:  Dec 2 2004
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.3.4 and prior versions
Description:  Several double-free vulnerabilities were reported in the Kerberos 5 Key Distribution Center (KDC) software. A remote user may be able to execute arbitrary code and compromise the Kerberos domain.

The vendor reported that the ASN.1 decoder functions use inconsistent memory management conventions. Under certain error conditions, the ASN.1 decoders may free memory without nulling the corresponding pointers [CVE: CAN-2004-0642]. As a result, some library functions that receive errors from from the ASN.1 decoders may attempt to free the non-null pointers.

It is also reported that krb5_rd_cred() in versions prior to 1.3.2 frees already-freed buffers returned by the decode_krb5_enc_cred_part() function when an error is returned [CVE: CAN-2004-0643].

It is also reported that a patch introduced in version 1.2.8 to disable krb4 cross-realm authentication in krb524d contains a double-free vulnerability [CVE: CAN-2004-0772].

The vendor credits Will Fiveash and Nico Williams at Sun, Marc Horowitz, Nalin Dahyabhai, Joseph Galbraith, and John Hawkinson with discovering these flaws.
Impact:  A remote user may be able to execute arbitrary code on a target KDC system. This will compromise the entire Kerberos realm.

A reomte user may be able to execute arbitrary code on a target system running krb524d.

A remote user acting as a KDC or application server may be able to execute arbitrary code on a target client host while the client is authenticating.
Solution:  Apple has issued a fix as part of Security Update 2004-12-02, available at:

- Software Update preferences

- Apple Downloads:

http://www.apple.com/swupdates/
Vendor URL:  web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt (Links to External Site)
Cause:  State error
Underlying OS:  UNIX (OS X)
Underlying OS Comments:  Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8

Message History:   This archive entry is a follow-up to the message listed below.
Aug 31 2004 Kerberos 5 KDC Double-Free Errors May Let Remote Users Execute Arbitrary Code


 Source Message Contents
Date:  Thu, 2 Dec 2004 16:40:18 -0500
Subject:  [none]

 
 
Security Update 2004-12-02
 
Cyrus IMAP
Available for: Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1089
Impact: When using Kerberos authentication with Cyrus IMAP an authenticated user could 
gain unauthorized access to other mailboxes on the same system.
Description: When using the Kerberos authentication mechanism with the Cyrus IMAP 
server a user could switch mailboxes after authenticating and gain access to other 
mailboxes on the same system. This update binds the mailbox to the authenticated user. 
This server-specific issue is not present in Mac OS X Server v10.2.8. Credit to 
johan.gradvall@gothia.se for reporting this issue.
 
 
HIToolbox
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1085
Impact: Users can quit applications in kiosk mode
Description: A special key combination allowed users to bring up the force quit window 
even in kiosk mode. This update will block all force-quit key combinations not to work 
while in kiosk mode. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server 
v10.2.8. Credit to Glenn Blauvelt of University of Colorado at Boulder for reporting 
this issue.
 
 
Kerberos
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6, Mac OS X v10.2.8, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-0642, CAN-2004-0643, CAN-2004-0644, CAN-2004-0772
Impact: Exposure to a potential denial of service when Kerberos authentication is used
Description: MIT has released a new version of Kerberos that addresses a denial of 
service and three double free errors. Mac OS X contains protection against double free 
errors. This update applies the fix for the denial of service problem. As a 
precautionary measure the double free patches have also been applied. Credit to the MIT 
Kerberos Development Team for reporting this issue and providing fixes.
 
 
Postfix
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1088
Impact: Postfix using CRAM-MD5 may allow a remote user to send mail without properly authenticating.
Description: Postfix servers using CRAM-MD5 to authenticate senders were vulnerable to 
a replay attack. Under some circumstances, the credentials used to successfully 
authenticate a user could be re-used for a small time period. The CRAM-MD5 algorithm 
used to authenticate users has been updated to prevent the replay window. This issue is 
not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. Credit to Victor Duchovni 
of Morgan Stanley for reporting this issue.
 
 
PSNormalizer
Available for: Mac OS X v10.3.6, Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1086
Impact: A buffer overflow in PostScript to PDF conversion could allow execution of 
arbitrary code.
Description: A buffer overflow in the handling of PostScript to PDF conversion could 
potentially allow the execution of arbitrary code. This updates corrects the PostScript 
to PDF conversion code to prevent the buffer overflow. This issue is not present in Mac 
OS X v10.2.8 or Mac OS X Server v10.2.8.
 
 
QuickTime Streaming Server
Available for: Mac OS X Server v10.3.6, Mac OS X Server v10.2.8
CVE-ID: CAN-2004-1123
Impact: Specially crafted requests could cause a denial of service.
Description: QuickTime Streaming Server was vulnerable to a denial of service attack 
when handling DESCRIBE requests. This update corrects the handling of these requests. 
Credit to iDEFENSE for reporting this issue.
 
 
Terminal
Available for: Mac OS X v10.3.6 and Mac OS X Server v10.3.6
CVE-ID: CAN-2004-1087
Impact: Terminal may indicate that 'Secure Keyboard Entry' is active when it is not.
Description: The 'Secure Keyboard Entry' menu setting was not properly restored when 
launching Terminal.app. A check mark would be displayed next to 'Secure Keyboard Entry' 
even though it was not enabled. This update fixes the behavior of the 'Secure Keyboard 
Entry'. This issue is not present in Mac OS X v10.2.8 or Mac OS X Server v10.2.8. 
Credit to Jonathan 'Wolf' Rentzsch of Red Shed Software for reporting this issue.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC