COMMAND
kerberos
SYSTEMS AFFECTED
MIT Kerberos 5, all releases.
PROBLEM
Buffer overflows exist in the FTP daemon included with MIT krb5.
* If anonymous FTP is enabled, a remote user may gain unauthorized
root access.
* A user with access to a local account may gain unauthorized root
access.
* A remote user who can successfully authenticate to the FTP
daemon may obtain unauthorized root access, regardless of
whether anonymous FTP is enabled or whether access is granted to
a local account. This vulnerability is believed to be somewhat
difficult to exploit.
Thanks to Matt Crawford for providing some insight into the
specific ways in which krb5 ftpd is vulnerable.
The remote vulnerability exploitable via anonymous FTP or local
account access results from a buffer overflow in code that calls
ftpglob(), a function responsible for expanding glob characters in
pathnames. Recent versions of ftpd (krb5-1.2 or later) should not
contain buffer overflows in the ftpglob() function itself.
Remote users able to authenticate to the FTP daemon may be able to
exploit a lack of bounds-checking in calling radix_encode().
Login access is not required; the ability to force arbitrary data
to be base64-encoded by radix_encode() is sufficient.
This vulnerability is believed to be somewhat difficult to exploit
(but by no means impossible) due to the need for an attacker to
inject data that will base64-encode to the desired machine code
and target address.
SOLUTION
The recommended approach is to apply the patches and to rebuild
your ftpd.
If you cannot patch your ftpd currently, workarounds include
disabling anonymous FTP access, if you have it enabled; this will
limit the most likely exploitation to users with local account
access or who can successfully authenticate to the daemon.
These patches are against the krb5-1.2.2 release. They may also
apply against earlier releases, though. The patches can be found
at:
http://web.mit.edu/kerberos/www/advisories/ftpbuf_122_patch.txt
For RedHat:
ftp://updates.redhat.com/6.2/en/os/SRPMS/krb5-1.1.1-27.src.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/krb5-configs-1.1.1-27.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/krb5-devel-1.1.1-27.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/krb5-libs-1.1.1-27.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/krb5-server-1.1.1-27.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/krb5-workstation-1.1.1-27.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-configs-1.1.1-27.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-devel-1.1.1-27.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-libs-1.1.1-27.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-server-1.1.1-27.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/krb5-workstation-1.1.1-27.i386.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/krb5-configs-1.1.1-27.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/krb5-devel-1.1.1-27.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/krb5-libs-1.1.1-27.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/krb5-server-1.1.1-27.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/krb5-workstation-1.1.1-27.sparc.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/krb5-1.2.2-5.src.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/krb5-devel-1.2.2-5.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/krb5-libs-1.2.2-5.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/krb5-server-1.2.2-5.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/krb5-workstation-1.2.2-5.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-devel-1.2.2-5.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-libs-1.2.2-5.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-server-1.2.2-5.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/krb5-workstation-1.2.2-5.i386.rpm
ftp://updates.redhat.com/7.1/en/os/SRPMS/krb5-1.2.2-5.src.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-devel-1.2.2-5.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-libs-1.2.2-5.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-server-1.2.2-5.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/krb5-workstation-1.2.2-5.i386.rpm