Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Kerberos Multiple Local Privilege Escalation Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Kerberos Multiple Local Privilege Escalation Vulnerabilities
Date: 9 Aug 2006 14:02:51 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Kerberos Multiple Local Privilege Escalation Vulnerabilities
------------------------------------------------------------------------


SUMMARY

In certain application programs packaged in the MIT Kerberos 5 source 
distribution, calls to setuid() and seteuid() are not always checked for 
success. A local user could exploit one of these vulnerabilities to result 
in privilege escalation. No exploit code is known to exist at this time. 
It is believed that the primary risk is to Linux systems, due to the 
behavior of their implementation of the setuid() and seteuid() system 
calls.

DETAILS

Vulnerable Systems:
 * * The below-listed programs are vulnerable in all releases of MIT krb5, 
up to and including krb5-1.5. The krb5-1.5.1 and krb5-1.4.4 releases will 
contain fixes for these problems.

Impact:
Actual impact depends on implementation details within a specific 
operating system. Vulnerabilities result when the OS implementations of 
setuid() or seteuid() can fail due to resource exhaustion when changing to 
an unprivileged user ID. We believe that only unchecked calls to setuid(), 
and not calls to seteuid(), are vulnerable on Linux.

On AIX, Kerberos applications provided by IBM are not vulnerable. If, in 
place of or in addition to IBM-provided Kerberos applications, MIT krb5 
code is installed on an AIX system, the affected MIT krb5 applications are 
vulnerable to the setuid() issues listed in CVE-2006-3083. We believe that 
no other operating systems are affected.

[CVE-2006-3083, VU#580124] The following vulnerabilities may result from 
unchecked calls to setuid(), and are believed to only exist on Linux and 
AIX:

* Unchecked calls to setuid() in krshd may allow a local privilege 
escalation leading to execution of programs as root.

* Unchecked calls to setuid() in the v4rcp may allow a local privilege 
escalation leading to reading, writing, or creating files as root. v4rcp 
is the remote end of a krb4-authenticated rcp operation, but may be 
executed directly by an attacker, as it is a setuid program.

[CVE-2006-3084, VU#401660] The following vulnerabilities may result from 
unchecked calls to seteuid(). These vulnerabilities are not yet known to 
exist on any operating system:

* Unchecked calls to seteuid() in ftpd may allow a local privilege 
escalation leading to reading, writing, or creating files as root.

* Unchecked calls to seteuid() in the ksu program may allow a local 
privilege escalation resulting in filling a file with null bytes as root 
and then deleting it (the "kdestroy" operation).

Fixes:
* The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes for 
these vulnerabilities.

* Disable krshd and ftpd, and remove the setuid bit from the ksu binary 
and the v4rcp binary.

* For the krb5-1.5 release, apply the patch at  
<http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt> 
http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt

A PGP-signed version of this patch is at  
<http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt.asc> 
http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt.asc

This patch was generated against the krb5-1.5 release, and may apply to 
earlier releases with some fuzz. The patch also updates some calls to 
other setuid-like system calls on less-common operating systems, though 
these calls are less likely to be vulnerable.

* For the krb5-1.4.3 release, apply the patch at  
<http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt> 
http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt

A PGP-signed version of this patch is at  
<http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt> 
http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt

This patch was generated against the krb5-1.4.3 release, and may apply to 
earlier releases with some fuzz. The patch also updates some calls to 
other setuid-like system calls on less-common operating systems, though 
these calls are less likely to be vulnerable.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083> 
CVE-2006-3083
 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084> 
CVE-2006-3084

CERT Information:
 <http://www.kb.cert.org/vuls/id/580124> VU#580124
 <http://www.kb.cert.org/vuls/id/401660> VU#401660

Acknowledgements:
Thanks to Michael Calmer and Marcus Meissner at SUSE for reporting this 
problem.

Thanks to Shiva Persaud at IBM for information on AIX.

Details:
Typically, setuid(), seteuid(), and similar system calls cannot fail 
except in cases of inadequate privilege or system misconfiguration. Unlike 
other operating systems, Linux and AIX system calls which change the real 
user ID can fail if the change would cause the target user ID to exceed 
its quota of allowed processes. A local attacker may be able to exhaust a 
process quota in a way which artificially creates such a failure 
condition. This may result in privilege escalation when a program making 
an unchecked call to one of these system calls expects to continue 
execution with reduced privilege following the affected call, but instead 
continues to run as a privileged user.

Specific places where various system calls are not checked include:

appl/bsd/krcp.c: setreuid (uncompiled code), setuid (irrelevant because 
not installed setuid)
appl/bsd/krshd.c: setuid
appl/bsd/krsh.c: setuid (irrelevant because not installed setuid)
appl/bsd/v4rcp.c: setuid
appl/gssftp/ftpd/ftpd.c: seteuid
client/ksu/main.c: seteuid
lib/krb4/kuserok.c: seteuid (but likely irrelevant)


ADDITIONAL INFORMATION

The information has been provided by Tom Yu.
The original article can be found at:  
<http://web.mit.edu/kerberos/advisories/index.html> 
http://web.mit.edu/kerberos/advisories/index.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Kerberos Multiple Local Privilege Escalation Vulnerabilities, SecuriTeam <=
Previous by Date:  [EXPL] DeluxeBB Create Admin (Exploit), SecuriTeam
Next by Date:  [NT] Microsoft Internet Explorer CSS Class Ordering Memory Corruption (MS06-042), SecuriTeam
Previous by Thread:  [EXPL] DeluxeBB Create Admin (Exploit), SecuriTeam
Next by Thread:  [NT] Microsoft Internet Explorer CSS Class Ordering Memory Corruption (MS06-042), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]