SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Kerberos Vendors:   MIT
(Sun Issues Fix) MIT krb5 KDC Buffer Overflow in 'do_as_req' and 'do_tgs_req' May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014473
SecurityTracker URL:  http://securitytracker.com/id/1014473
CVE Reference:   CVE-2005-1174, CVE-2005-1175   (Links to External Site)
Updated:  Sep 16 2005
Original Entry Date:  Jul 13 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): krb5-1.4.1 and prior versions
Description:   Two vulnerabilities were reported in the MIT krb5 Key Distribution Center (KDC) implementation. A remote user may be able to execute arbitrary code on the target system.

A remote user can send a specially crafted TCP connection to cause the KDC to attempt to free random memory and corrupt the heap [CVE: CAN-2005-1174]. This can cause denial of service conditions. Systems that accept TCP connections are affected.

A remote user can send the same kind of request via TCP or UDP to trigger a single-byte heap overflow [CVE: CAN-2005-1175]. The remote user may be able to execute arbitrary code.

The vendor reports that exploitation of these vulnerabilities is believed to be difficult.

The vulnerabilities reside in kdc/do_as_req.c' and 'kdc/do_tgs_req.c'.

The vendor credits Daniel Wachdorf with reporting these vulnerabilities.
Impact:   A remote user may be able to execute arbitrary code on the KDC host, potentially compromising an entire Kerberos realm.
Solution:   Sun has issued a fix for some of the affected platforms (Solaris 8, 9, and 10).

SPARC Platform

Solaris 8 with the Solaris Supplemental Encryption packages and with patch 112390-11 or later
Solaris 8 with patch 112237-13 or later
Solaris 9 with patch 112908-20 or later
Solaris 10 with patch 120469-01 or later

x86 Platform

Solaris 8 with the Solaris Supplemental Encryption packages and with patch 112240-10 or later
Solaris 8 with patch 112238-12 or later
Solaris 9 with patch 115168-08 or later
Solaris 10 with patch 120470-01 or later

The vendor's advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-101809-1
Vendor URL:  sunsolve.sun.com/search/document.do?assetkey=1-26-101809-1 (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (Solaris - SunOS)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 12 2005 MIT krb5 KDC Buffer Overflow in 'do_as_req' and 'do_tgs_req' May Let Remote Users Execute Arbitrary Code


 Source Message Contents
Date:  Wed, 13 Jul 2005 03:32:44 -0400
Subject:  http://sunsolve.sun.com/search/document.do?assetkey=1-26-101809-1



    * Sun Alert ID: 101809
    * Synopsis: Security Vulnerabilities in the Kerberos Key Distribution Center (KDC) 
Daemon
    * Category: Security
    *
      Product: Solaris 9 Operating System, Solaris 10 Operating System, Sun Enterprise 
Authentication Mechanism Software, Solaris 7 Operating System, Solaris 8 Operating 
System
    * BugIDs: 6261685
    * Avoidance: Workaround
    * State: Workaround
    * Date Released: 12-Jul-2005
    * Date Closed:
    * Date Modified:


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC