-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:40.kadmind Security Advisory The FreeBSD Project Topic: Buffer overflow in kadmind daemon Category: core, ports Module: crypto_heimdal, crypto_kerberosIV, heimdal, krb5 Announced: 2002-11-12 Credits: Johan Danielsson , Sam Hartman , Love Hoernquist-Astrand , Tom Yu Affects: All releases prior to and including FreeBSD 4.7-RELEASE. Corrected: 2002-10-23 13:07:44 UTC (RELENG_4) 2002-10-23 13:21:32 UTC (RELENG_4_7) 2002-10-23 13:21:02 UTC (RELENG_4_6) 2002-10-23 13:20:19 UTC (RELENG_4_5) 2002-10-23 13:19:46 UTC (RELENG_4_4) 2002-10-24 02:52:00 UTC (RELENG_3) 2002-10-23 22:30:39 UTC (krb5 port, krb5-1.2.6_1) 2002-10-24 15:01:11 UTC (heimdal port, heimdal-0.5.1) FreeBSD only: NO I. Background The Kerberos 4 administrative server, kadmind, runs on the Kerberos Key Distribution Center (KDC) and provides administrative access to the Kerberos database. It is part of the KTH Kerberos 4 implementation. The Kerberos 5 administrative server, k5admind, provides the same function in the Heimdal Kerberos 5 implementation, and includes a Kerberos 4 compatibility feature. The k5admind server is installed as part of the `krb5' distribution, or when building from source with MAKE_KERBEROS5 set. The kadmind server is installed as part of the `krb4' distribution, or when building from source with MAKE_KERBEROS4 set. Neither is installed by default. The Heimdal Kerberos 5 administrative server is also available as part of the heimdal port (ports/security/heimdal). The MIT Kerberos 5 implementation also includes a Kerberos 5 administrative server (ports/security/krb5). The MIT Kerberos 5 administrative server is named `kadmind'. II. Problem Description A stack buffer overflow is present in the Kerberos 4 administrative server, kadmind, and in the Kerberos 4 compatibility layer of the Kerberos 5 administrative server, k5admind. III. Impact A remote attacker may send a specially formatted request to k5admind or kadmind, triggering the stack buffer overflow and potentially causing the administrative server to execute arbitrary code as root on the KDC. The attacker need not be authenticated in order to trigger the bug. Compromise of the KDC has an especially large impact, as theft of the Kerberos database could allow an attacker to impersonate any Kerberos principal in the realm(s) present in the database. IMPORTANT NOTE: According to the MIT security team, there is evidence that this bug is being actively exploited. IV. Workaround Perform one of the following: 1) Disable kadmind and/or k5admind by performing the following: Set kadmind_server_enable (for kadmind) and kadmind5_server_enable (for k5admind) to "NO" in /etc/rc.conf. Check /etc/inetd.conf to verify that kadmind and k5admind are not being started from inetd. Check that kadmind is not running as a service by executing the following command: # ps axlwww | egrep 'kadmind|k5admind' If kadmind or k5admind are running, kill them by executing the following command as root: # kill 2) Deinstall the heimdal or krb5 port/packages if installed. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.7-STABLE; or to the RELENG_4_7, RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.4, FreeBSD 4.5, FreeBSD 4.6, and FreeBSD 4.7 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:40/kadmin.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:40/kadmin.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/kerberos5/libexec/k5admind # make depend && make all install # cd /usr/src/kerberosIV/usr.sbin/kadmind # make depend && make all install If you have the `heimdal' or `krb5' port/package installed, then do one of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Download a new port skeleton for the heimdal or krb5 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 3) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/crypto/heimdal/kadmin/version4.c RELENG_4 1.1.1.1.2.4 RELENG_4_7 1.1.1.1.2.3.2.1 RELENG_4_6 1.1.1.1.2.1.8.1 RELENG_4_5 1.1.1.1.2.1.6.1 RELENG_4_4 1.1.1.1.2.1.4.1 src/crypto/kerberosIV/kadmin/kadm_ser_wrap.c RELENG_4 1.1.1.3.2.1 RELENG_4_7 1.1.1.3.12.1 RELENG_4_6 1.1.1.3.10.1 RELENG_4_5 1.1.1.3.8.1 RELENG_4_4 1.1.1.3.6.1 src/kerberosIV/include/version.h RELENG_4 1.3.2.1 RELENG_4_7 1.3.12.1 RELENG_4_6 1.3.10.1 RELENG_4_5 1.3.8.1 RELENG_4_4 1.3.6.1 src/kerberos5/include/version.h RELENG_4 1.2.2.6 RELENG_4_7 1.2.2.5.2.1 RELENG_4_6 1.2.2.3.2.1 RELENG_4_5 1.2.2.2.4.1 RELENG_4_4 1.2.2.2.2.1 - ------------------------------------------------------------------------- For Heimdal Kerberos 5 and MIT Kerberos 5 found in the FreeBSD Ports Collection, the first corrected versions are: ports/security/heimdal heimdal-0.5.1 ports/security/krb5 krb5-1.2.6_1 VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iQCVAwUBPdFHs1UuHi5z0oilAQFH2wP/X8LODwBJpU07idHIJoxoaSeVnISEKz1o 580Koss/zgt/vcItvqssdGDBaBMa0XFz4JQaUOX4WYEACuguR+1wAxmiMseqyzyK EHXPO5Igqb3V+5J2SBl3Skwx3Z5QEDlBQXRpVBPYl6HBPTV2QBjjBY9L0B/6hPao 74KIgvrEix0= =oVsJ -----END PGP SIGNATURE-----