> -----Original Message-----
> From: Tom Yu [mailto:tlyu@xxxxxxx]
> Sent: Tuesday, January 09, 2007 10:09 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: MITKRB5-SA-2006-003: kadmind (via GSS-API lib) frees
> uninitialized pointers
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> MIT krb5 Security Advisory 2006-003
>
> Original release: 2007-01-09
> Last update: 2007-01-09
>
> Topic: kadmind (via GSS-API mechglue) frees uninitialized pointers
>
> Severity: CRITICAL
>
> CVE: CVE-2006-6144
> CERT: VU#831452
>
> SUMMARY
> =======
>
> The Kerberos administration daemon, "kadmind", can free uninitialized
> pointers, possibly leading to arbitrary code execution. This
> vulnerability results from memory management bugs in the "mechglue"
> abstraction interface of the GSS-API implementation. Third-party
> applications written using the GSS-API may also be vulnerable.
>
> Exploitation of this vulnerability is believed to be difficult. No
> exploit code is known to exist at this time.
>
> IMPACT
> ======
>
> An unauthenticated user may cause execution of arbitrary code in
> kadmind, which can compromise the Kerberos key database and host
> security. (kadmind usually runs as root.) Unsuccessful exploitation,
> or even accidental replication of the required conditions by
> non-malicious users, can result in kadmind crashing.
>
> An unauthenticated user may cause execution of arbitrary code in
> third-party applications which use the GSS-API library.
>
> AFFECTED SOFTWARE
> =================
>
> * kadmind from MIT releases krb5-1.5 through krb5-1.5.1
>
> * third-party applications calling the GSS-API library included in MIT
> releases krb5-1.5 through krb5-1.5.1
>
> * Earlier releases may not be affected because the relevant code was
> not compiled.
>
> FIXES
> =====
>
> * The upcoming krb5-1.6 release will contain a fix for this problem.
> Additionally, the upcoming krb5-1.5.2 patch release will contain
> this fix.
>
> * Apply the patch at:
>
>
>
> A PGP-signed version of the patch is at:
>
>
>
> REFERENCES
> ==========
>
> This announcement is posted at:
>
>
>
> hglue.txt
>
> This announcement and related security advisories may be found on the
> MIT Kerberos security advisory page at:
>
>
>
> The main MIT Kerberos web page is at:
>
>
>
> CVE: CVE-2006-6144
>
>
> CERT: VU#831452
>
>
> ACKNOWLEDGMENTS
> ===============
>
> This vulnerability was found while investigating a related
> vulnerability reported by Andrew Korty of Indiana University.
>
> DETAILS
> =======
>
> The specifications for the GSS-API C bindings, including RFC 2744,
> require that all GSS-API calls which may return pointers to allocated
> memory to initialize the pointers, even in error conditions. The
> implementation of the "mechglue" abstraction interface can execute
> error-handling paths which do not complete initialization of output
> parameters. As a result, callers which do not initialize return
> structures such as gss_buffer_desc may call destructor functions such
> as gss_release_buffer on values containing uninitialized pointers.
>
> In kadmind, the log_badverf() function calls gss_display_name()
> without checking its return value and without initializing the
> gss_buffer_desc structures passed to gss_display_name(). If
> gss_display_name() encounters certain error conditions, it does not
> initialize the gss_buffer_t output argument passed to it. The
> log_badverf() function then logs the returned strings, and calls
> gss_release_buffer() on these gss_buffer_desc structures. When
> RPCSEC_GSS is used, kadmind uses a NULL server name, so at least one
> of the calls to gss_display_name() will always fail in that case.
>
> The act of logging these strings will typically cause a memory access
> fault if the uninitialized pointers have values pointing into invalid
> address space, which may prevent harmful effects in
> gss_release_buffer() because the program will have crashed. It is
> inadvisable to depend on this possibility, because an attacker may be
> able to manipulate the uninitialized pointers to take on values
> pointing into valid address space.
>
> REVISION HISTORY
> ================
>
> 2007-01-09 original release
>
> Copyright (C) 2006 Massachusetts Institute of Technology
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (SunOS)
>
> iQCVAwUBRaL92KbDgE/zdoE9AQJ8DAQAiYr6UPRR5twDUVvBLjhdGriKSYPRaOoe
> re7ROX9BZ1fAAxldLH2Eela50gAAvnqYkAUyB1RH0Qi9OyEudEbeAUH7PLAR42lE
> +Tt/OGH6jF6Uju/6wTfqLUPXCoBf8l9h2lojTuHYSGWvbz8Cth5vzpJSOGIM9cu7
> YIFqXWFgoqs=
> =/Rxc
> -----END PGP SIGNATURE-----
>
