SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos telnetd Grants Access to Remote Users
SecurityTracker Alert ID:  1017848
SecurityTracker URL:  http://securitytracker.com/id/1017848
CVE Reference:   CVE-2007-0956   (Links to External Site)
Date:  Apr 3 2007
Impact:   Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): krb5 prior to krb5-1.6.1
Description:   A vulnerability was reported in Kerberos in the telnet daemon. A remote user can bypass authentication and gain access to the target system.

A remote user can invoke telnet and set a specially crafted username that begins with '-e' to gain remote access to the specified username account on the target system.
Impact:   A remote user can gain access to the target system.
Solution:   The vendor has issued a patch, available at:

http://web.mit.edu/kerberos/advisories/2007-001-patch.txt

The pending krb5-1.6.1 release will include the fix.

The MIT advisory is available at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt (Links to External Site)
Cause:   Authentication error, State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 3 2007 (Red Hat Issues Fix) Kerberos telnetd Grants Access to Remote Users   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, 4, and 5.
Apr 3 2007 (IBM Issues Fix for AIX) Kerberos telnetd Grants Access to Remote Users
IBM has issued a fix for Network Authentication Service on IBM AIX 5.2 and 5.3.
Apr 4 2007 (Sun Describes Workaround) Kerberos telnetd Grants Access to Remote Users
Sun has described a workaround for the SEAM telnet daemon.


 Source Message Contents
Date:  Tue, 3 Apr 2007 14:38:18 -0400
Subject:  Kerberos


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 MIT krb5 Security Advisory 2007-001

Original release: 2007-04-03
Last update: 2007-04-03

Topic: telnetd allows login as arbitrary user

Severity: CRITICAL

CVE: CVE-2007-0956
CERT: VU#220816

SUMMARY
=======

The MIT krb5 telnet daemon (telnetd) allows unauthorized login as an
arbitrary user, when presented with a specially crafted username.
Exploitation of this vulnerability is trivial.

This is a vulnerability in an application program; it is not a bug in
the MIT krb5 libraries or in the Kerberos protocol.

IMPACT
======

A user can gain unauthorized access to any account (including root) on
a host running telnetd.  Whether the attacker needs to authenticate
depends on the configuration of telnetd on that host.

AFFECTED SOFTWARE
=================

* telnetd in all releases of MIT krb5, up to and including krb5-1.6

FIXES
=====

* The upcoming krb5-1.6.1 release will contain a fix for this
  vulnerability.

Prior to that release you may:

* disable telnetd

or

* apply the patch

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2007-001-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2007-001-patch.txt.asc

*** src/appl/telnet/telnetd/state.c	(revision 19480)
- --- src/appl/telnet/telnetd/state.c	(local)
***************
*** 1665,1671 ****
  	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
  	    strcmp(varp, "NLSPATH") && /* locale stuff */
  	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! 	    strcmp(varp, "IFS")) {
  		return 1;
  	} else {
  		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
- --- 1665,1672 ----
  	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
  	    strcmp(varp, "NLSPATH") && /* locale stuff */
  	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
! 	    strcmp(varp, "IFS") &&
! 	    !strchr(varp, '-')) {
  		return 1;
  	} else {
  		syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp);
*** src/appl/telnet/telnetd/sys_term.c	(revision 19480)
- --- src/appl/telnet/telnetd/sys_term.c	(local)
***************
*** 1287,1292 ****
- --- 1287,1302 ----
  #endif
  #if	defined (AUTHENTICATION)
  	if (auth_level >= 0 && autologin == AUTH_VALID) {
+ 		if (name[0] == '-') {
+ 		    /* Authenticated and authorized to log in to an
+ 		       account starting with '-'?  Even if that
+ 		       unlikely case comes to pass, the current login
+ 		       program will not parse the resulting command
+ 		       line properly.  */
+ 		    syslog(LOG_ERR, "user name cannot start with '-'");
+ 		    fatal(net, "user name cannot start with '-'");
+ 		    exit(1);
+ 		}
  # if	!defined(NO_LOGIN_F)
  #if	defined(LOGIN_CAP_F)
  		argv = addarg(argv, "-F");
***************
*** 1377,1387 ****
  	} else
  #endif
  	if (getenv("USER")) {
! 		argv = addarg(argv, getenv("USER"));
  #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
  		{
  			register char **cpp;
  			for (cpp = environ; *cpp; cpp++)
  				argv = addarg(argv, *cpp);
  		}
  #endif
- --- 1387,1405 ----
  	} else
  #endif
  	if (getenv("USER")) {
! 		char *user = getenv("USER");
! 		if (user[0] == '-') {
! 		    /* "telnet -l-x ..." */
! 		    syslog(LOG_ERR, "user name cannot start with '-'");
! 		    fatal(net, "user name cannot start with '-'");
! 		    exit(1);
! 		}
! 		argv = addarg(argv, user);
  #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
  		{
  			register char **cpp;
  			for (cpp = environ; *cpp; cpp++)
+ 			    if ((*cpp)[0] != '-')
  				argv = addarg(argv, *cpp);
  		}
  #endif

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVE: CVE-2007-0956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0956

CERT: VU#220816
http://www.kb.cert.org/vuls/id/220816

ACKNOWLEDGMENTS
===============

This vulnerability was found when attempting to confirm the absence of
a related vulnerability in the Solaris telnetd.  [CVE-2007-0882]

DETAILS
=======

The MIT krb5 telnet daemon fails to adequately check the provided
username.  A malformed username beginning with "-e" can be interpreted
as a command-line flag by the login.krb5 program, which is executed by
telnetd.  This causes login.krb5 to execute part of the BSD rlogin
protocol, where an arbitrary username may be injected, allowing login
as that user without a password or any further authentication.

If the telnet daemon is configured to only permit authenticated login,
then only authenticated users can exploit this vulnerability.

REVISION HISTORY
================

2007-04-03      original release

Copyright (C) 2007 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iQCVAwUBRhKVRabDgE/zdoE9AQIzPAQAj8a7ShfHXVVMOPQhEyoN/Ydnalnfa2xE
cl7UXFSjmkexalD+rymL0upLFw7EVgnYrVazc+AUhDLt1AZmCl5Lj2+WAcl1QYPu
fEGm2SFaS4Eda6NRb6xZ4BeY8zfRWFN2G8Bb5krpGj+oEX/c3Xg8O4oUyiJBYBQi
TXhryamn6Yw=
=aE5C
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC