MIT Kerberos 5 KAdminD服务程序SVCAuth_GSS_Validate远程栈溢出漏洞

漏洞信息详情

MIT Kerberos 5 KAdminD服务程序SVCAuth_GSS_Validate远程栈溢出漏洞

漏洞简介

Kerberos是美国麻省理工学院(MIT)开发的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。MIT Kerberos 5(又名krb5)是美国麻省理工学院(MIT)开发的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。

Kerberos的RPC程序库在处理RPCSEC_GSS认证时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。

MIT krb5 Kerberos管理守护程序(kadmind)在实现RPCSEC_GSS认证时没有执行充分的长度检查便将不可信任的数据拷贝到了栈缓冲区。src/lib/rpc/svc_auth_gss.c文件的svcauth_gss_validate()函数用于认证入站的RPC消息,该函数中的memcpy()将很多字节拷贝到了128字节长的栈缓冲区rpchdr,具体长度取决于RPC头,是攻击者可控的。xdr_callmsg()调用提供svcauth_gss_validate()所使用的解码后的rpc_msg结构,确保所提供的长度不会超过MAX_AUTH_BYTES(400字节),但目标缓冲区小于这个大小,因此可能被溢出。

在完成RPC消息认证之前就会执行有漏洞的代码,因此无须认证便可利用这个漏洞触发溢出,导致执行任意代码。请注意这是krb5所使用的RPC库中的漏洞,而不是Kerberos协议本身的漏洞。

漏洞公告

Debian已经为此发布了一个安全公告(DSA-1367-2)以及相应补丁:

DSA-1367-2:New krb5 packages fix arbitrary code execution

链接:

http://www.debian.org/security/2007/dsa-1367

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch4.dsc

Size/MD5 checksum:876 77cfeed4304b589e90db0651c8350d92

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch4.diff.gz

Size/MD5 checksum:1589790 dab0c692e09564434a645b13646e5fdd

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4.orig.tar.gz

Size/MD5 checksum: 11017910 a675e5953bb8a29b5c6eb6f4ab0bb32a

Architecture independent components:

http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.4.4-7etch4_all.deb

Size/MD5 checksum:1811994 3ff6393e824c3416fd36a8e4ad245d42

Alpha architecture:

http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch4_alpha.deb

Size/MD5 checksum:89472 d43903519a6ec1d6ff2dbd6bbececf36

http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch4_alpha.deb

Size/MD5 checksum: 245448 b6d7648b9c4827e6c4035695877e200c

http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch4_alpha.deb

Size/MD5 checksum:65734 829a6d48898b98cc76e85dab102750e1

http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch4_alpha.deb

Size/MD5 checksum: 154880 fe3448535d05825b20833b94580074d1

http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch4_alpha.deb

Size/MD5 checksum:91454 3b744955a52022455e1bb813705a860f

http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch4_alpha.deb

Size/MD5 checksum:75942 46c14d351ed56c88960d2bd3a20779b4

http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch4_alpha.deb

Size/MD5 checksum: 135934 3ab40ecc6dd191f45ae03a8582945932

http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch4_alpha.deb

Size/MD5 checksum: 216080 66abe9f8c7503b6681fa29cf59974d0f

http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch4_alpha.deb

Size/MD5 checksum:1087408 240be01391324069e9af19c8117af443

http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch4_alpha.deb

Size/MD5 checksum:1016762 291da65300001e7fc24205be3bd493d1

http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch4_alpha.deb

Size/MD5 checksum: 460840 e648f5f29d66b15eddceb176570440ab

AMD64 architecture:

http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch4_amd64.deb

Size/MD5 checksum:83740 05058bd16775b4fe89e47afb14058ea7

http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch4_amd64.deb

Size/MD5 checksum: 221734 edc3f9d1a135e39aafbc16e918ee8a7b

http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch4_amd64.deb

Size/MD5 checksum:61952 956dd0cfb2dd16f2524375cc3f357044

http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch4_amd64.deb

Size/MD5 checksum: 142098 29af8744c756aefa5c77f19c3c5a332e

http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch4_amd64.deb

Size/MD5 checksum:86538 a60480f71dd39c72eb51cb404802dea3

http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch4_amd64.deb

Size/MD5 checksum:68058 d2de9ab6bd56fb8add00edac92d8da56

http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch4_amd64.deb

Size/MD5 checksum: 131122 6b9502cec3a397c29be7ff206197d6d4

http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch4_amd64.deb

Size/MD5 checksum: 190364 2ea3ccdaa871aa0fb53edb93636f26b1

http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch4_amd64.deb

Size/MD5 checksum:1070666 d1923d1bf7360747887944c2729368eb

http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch4_amd64.deb

Size/MD5 checksum: 767018 63738fc882e783ed30a023b6b38545b6

http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch4_amd64.deb

Size/MD5 checksum: 426954 5701d1434fb198f26220f84f928ed945

ARM architecture:

http

参考网址

来源: US-CERT

名称: TA07-319A

链接:http://www.us-cert.gov/cas/techalerts/TA07-319A.html

来源: US-CERT

名称: VU#883632

链接:http://www.kb.cert.org/vuls/id/883632

来源: FEDORA

名称: FEDORA-2007-2017

链接:https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00087.html

来源: MISC

链接:https://bugzilla.redhat.com/show_bug.cgi?id=250973

来源: MISC

链接:http://www.zerodayinitiative.com/advisories/ZDI-07-052.html

来源: UBUNTU

名称: USN-511-1

链接:http://www.ubuntu.com/usn/usn-511-1

来源: TRUSTIX

名称: 2007-0026

链接:http://www.trustix.org/errata/2007/0026/

来源: SECTRACK

名称: 1018647

链接:http://www.securitytracker.com/id?1018647

来源: BID

名称: 26444

链接:http://www.securityfocus.com/bid/26444

来源: BID

名称: 25534

链接:http://www.securityfocus.com/bid/25534

来源: BUGTRAQ

名称: 20070912 ZDI-07-052: Multiple Kerberos Implementations Authentication Context Stack Overflow Vulnerability

链接:http://www.securityfocus.com/archive/1/archive/1/479251/100/0/threaded

来源: BUGTRAQ

名称: 20070906 rPSA-2007-0179-1 krb5 krb5-server krb5-services krb5-test krb5-workstation

链接:http://www.securityfocus.com/archive/1/archive/1/478748/100/0/threaded

来源: REDHAT

名称: RHSA-2007:0951

链接:http://www.redhat.com/support/errata/RHSA-2007-0951.html

来源: REDHAT

名称: RHSA-2007:0913

链接:http://www.redhat.com/support/errata/RHSA-2007-0913.html

来源: REDHAT

名称: RHSA-2007:0858

链接:http://www.redhat.com/support/errata/RHSA-2007-0858.html

来源: SUSE

名称: SUSE-SR:2007:024

链接:http://www.novell.com/linux/security/advisories/2007_24_sr.html

来源: SUSE

名称: SUSE-SR:2007:019

链接:http://www.novell.com/linux/security/advisories/2007_19_sr.html

来源: MANDRIVA

名称: MDKSA-2007:181

链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:181

来源: MANDRIVA

名称: MDKSA-2007:174

链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:174

来源: GENTOO

名称: GLSA-200709-01

链接:http://www.gentoo.org/security/en/glsa/glsa-200709-01.xml

来源: VUPEN

名称: ADV-2007-3868

链接:http://www.frsirt.com/english/advisories/2007/3868

来源: VUPEN

名称: ADV-2007-3060

链接:http://www.frsirt.com/english/advisories/2007/3060

来源: VUPEN

名称: ADV-2007-3052

链接:http://www.frsirt.com/english/advisories/2007/3052

来源: VUPEN

名称: ADV-2007-3051

链接:http://www.frsirt.com/english/advisories/2007/3051

来源: DEBIAN

名称: DSA-1368

链接:http://www.debian.org/security/2007/dsa-1368

来源: DEBIAN

名称: DSA-1367

链接:http://www.debian.org/security/2007/dsa-1367

来源: web.mit.edu

链接:http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt

来源: support.avaya.com

链接:http://support.avaya.com/elmodocs2/security/ASA-2007-396.htm

来源: SUNALERT

名称: 103060

链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-103060-1

来源: GENTOO

名称: GLSA-200710-01

链接:http://security.gentoo.org/glsa/glsa-200710-01.xml

来源: SECUNIA

名称: 27081

链接:http://secunia.com/advisories/27081

来源: SECUNIA

名称: 27043

链接:http://secunia.com/advisories/27043

来源: SECUNIA

名称: 26987

链接:http://secunia.com/advisories/26987

来源: SECUNIA

名称: 26896

链接:http://secunia.com/advisories/26896

来源: SECUNIA

名称: 26822

链接:http://secunia.com/advisories/26822

来源: SECUNIA

名称: 26792

链接:http://secunia.com/advisories/26792

来源: SECUNIA

名称: 26783

链接:http://secunia.com/advisories/26783

来源: SECUNIA

名称: 26728

链接:http://secunia.com/advisories/26728

来源: SECUNIA

名称: 26713

链接:http://secunia.com/advisories/26713

来源: SECUNIA

名称: 26705

链接:http://secunia.com/advisories/26705

来源: SECUNIA

名称: 26700

链接:http://secunia.com/advisories/26700

来源: SECUNIA

名称: 26699

链接:http://secunia.com/advisories/26699

来源: SECUNIA

名称: 26697

链接:http://secunia.com/advisories/26697

来源: SECUNIA

名称: 26691

链接:http://secunia.com/advisories/26691

来源: SECUNIA

名称: 26684

链接:http://secunia.com/advisories/26684

来源: SECUNIA

名称: 26680

链接:http://secunia.com/advisories/26680

来源: SECUNIA

名称: 26676

链接:http://secunia.com/advisories/26676

来源: MLIST

名称: [security-announce] 20070906 rPSA-2007-0179-2 k

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享