漏洞信息详情
MIT Kerberos 5 KAdminD服务程序SVCAuth_GSS_Validate远程栈溢出漏洞
- CNNVD编号:CNNVD-200709-043
- 危害等级: 超危
- CVE编号:
CVE-2007-3999
- 漏洞类型:
缓冲区溢出
- 发布时间:
2005-04-01
- 威胁类型:
远程
- 更新时间:
2007-09-06
- 厂 商:
mit - 漏洞来源:
Tenable Network Se… -
漏洞简介
Kerberos是美国麻省理工学院(MIT)开发的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。MIT Kerberos 5(又名krb5)是美国麻省理工学院(MIT)开发的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。
Kerberos的RPC程序库在处理RPCSEC_GSS认证时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。
MIT krb5 Kerberos管理守护程序(kadmind)在实现RPCSEC_GSS认证时没有执行充分的长度检查便将不可信任的数据拷贝到了栈缓冲区。src/lib/rpc/svc_auth_gss.c文件的svcauth_gss_validate()函数用于认证入站的RPC消息,该函数中的memcpy()将很多字节拷贝到了128字节长的栈缓冲区rpchdr,具体长度取决于RPC头,是攻击者可控的。xdr_callmsg()调用提供svcauth_gss_validate()所使用的解码后的rpc_msg结构,确保所提供的长度不会超过MAX_AUTH_BYTES(400字节),但目标缓冲区小于这个大小,因此可能被溢出。
在完成RPC消息认证之前就会执行有漏洞的代码,因此无须认证便可利用这个漏洞触发溢出,导致执行任意代码。请注意这是krb5所使用的RPC库中的漏洞,而不是Kerberos协议本身的漏洞。
漏洞公告
Debian已经为此发布了一个安全公告(DSA-1367-2)以及相应补丁:
DSA-1367-2:New krb5 packages fix arbitrary code execution
链接:
http://www.debian.org/security/2007/dsa-1367
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch4.dsc
Size/MD5 checksum:876 77cfeed4304b589e90db0651c8350d92
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch4.diff.gz
Size/MD5 checksum:1589790 dab0c692e09564434a645b13646e5fdd
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4.orig.tar.gz
Size/MD5 checksum: 11017910 a675e5953bb8a29b5c6eb6f4ab0bb32a
Architecture independent components:
http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.4.4-7etch4_all.deb
Size/MD5 checksum:1811994 3ff6393e824c3416fd36a8e4ad245d42
Alpha architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch4_alpha.deb
Size/MD5 checksum:89472 d43903519a6ec1d6ff2dbd6bbececf36
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch4_alpha.deb
Size/MD5 checksum: 245448 b6d7648b9c4827e6c4035695877e200c
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch4_alpha.deb
Size/MD5 checksum:65734 829a6d48898b98cc76e85dab102750e1
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch4_alpha.deb
Size/MD5 checksum: 154880 fe3448535d05825b20833b94580074d1
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch4_alpha.deb
Size/MD5 checksum:91454 3b744955a52022455e1bb813705a860f
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch4_alpha.deb
Size/MD5 checksum:75942 46c14d351ed56c88960d2bd3a20779b4
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch4_alpha.deb
Size/MD5 checksum: 135934 3ab40ecc6dd191f45ae03a8582945932
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch4_alpha.deb
Size/MD5 checksum: 216080 66abe9f8c7503b6681fa29cf59974d0f
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch4_alpha.deb
Size/MD5 checksum:1087408 240be01391324069e9af19c8117af443
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch4_alpha.deb
Size/MD5 checksum:1016762 291da65300001e7fc24205be3bd493d1
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch4_alpha.deb
Size/MD5 checksum: 460840 e648f5f29d66b15eddceb176570440ab
AMD64 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch4_amd64.deb
Size/MD5 checksum:83740 05058bd16775b4fe89e47afb14058ea7
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch4_amd64.deb
Size/MD5 checksum: 221734 edc3f9d1a135e39aafbc16e918ee8a7b
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch4_amd64.deb
Size/MD5 checksum:61952 956dd0cfb2dd16f2524375cc3f357044
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch4_amd64.deb
Size/MD5 checksum: 142098 29af8744c756aefa5c77f19c3c5a332e
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch4_amd64.deb
Size/MD5 checksum:86538 a60480f71dd39c72eb51cb404802dea3
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch4_amd64.deb
Size/MD5 checksum:68058 d2de9ab6bd56fb8add00edac92d8da56
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch4_amd64.deb
Size/MD5 checksum: 131122 6b9502cec3a397c29be7ff206197d6d4
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch4_amd64.deb
Size/MD5 checksum: 190364 2ea3ccdaa871aa0fb53edb93636f26b1
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch4_amd64.deb
Size/MD5 checksum:1070666 d1923d1bf7360747887944c2729368eb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch4_amd64.deb
Size/MD5 checksum: 767018 63738fc882e783ed30a023b6b38545b6
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch4_amd64.deb
Size/MD5 checksum: 426954 5701d1434fb198f26220f84f928ed945
ARM architecture:
http
参考网址
来源: US-CERT
名称: TA07-319A
链接:http://www.us-cert.gov/cas/techalerts/TA07-319A.html
来源: US-CERT
名称: VU#883632
链接:http://www.kb.cert.org/vuls/id/883632
来源: FEDORA
名称: FEDORA-2007-2017
链接:https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00087.html
来源: MISC
链接:https://bugzilla.redhat.com/show_bug.cgi?id=250973
来源: MISC
链接:http://www.zerodayinitiative.com/advisories/ZDI-07-052.html
来源: UBUNTU
名称: USN-511-1
链接:http://www.ubuntu.com/usn/usn-511-1
来源: TRUSTIX
名称: 2007-0026
链接:http://www.trustix.org/errata/2007/0026/
来源: SECTRACK
名称: 1018647
链接:http://www.securitytracker.com/id?1018647
来源: BID
名称: 26444
链接:http://www.securityfocus.com/bid/26444
来源: BID
名称: 25534
链接:http://www.securityfocus.com/bid/25534
来源: BUGTRAQ
名称: 20070912 ZDI-07-052: Multiple Kerberos Implementations Authentication Context Stack Overflow Vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/479251/100/0/threaded
来源: BUGTRAQ
名称: 20070906 rPSA-2007-0179-1 krb5 krb5-server krb5-services krb5-test krb5-workstation
链接:http://www.securityfocus.com/archive/1/archive/1/478748/100/0/threaded
来源: REDHAT
名称: RHSA-2007:0951
链接:http://www.redhat.com/support/errata/RHSA-2007-0951.html
来源: REDHAT
名称: RHSA-2007:0913
链接:http://www.redhat.com/support/errata/RHSA-2007-0913.html
来源: REDHAT
名称: RHSA-2007:0858
链接:http://www.redhat.com/support/errata/RHSA-2007-0858.html
来源: SUSE
名称: SUSE-SR:2007:024
链接:http://www.novell.com/linux/security/advisories/2007_24_sr.html
来源: SUSE
名称: SUSE-SR:2007:019
链接:http://www.novell.com/linux/security/advisories/2007_19_sr.html
来源: MANDRIVA
名称: MDKSA-2007:181
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:181
来源: MANDRIVA
名称: MDKSA-2007:174
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:174
来源: GENTOO
名称: GLSA-200709-01
链接:http://www.gentoo.org/security/en/glsa/glsa-200709-01.xml
来源: VUPEN
名称: ADV-2007-3868
链接:http://www.frsirt.com/english/advisories/2007/3868
来源: VUPEN
名称: ADV-2007-3060
链接:http://www.frsirt.com/english/advisories/2007/3060
来源: VUPEN
名称: ADV-2007-3052
链接:http://www.frsirt.com/english/advisories/2007/3052
来源: VUPEN
名称: ADV-2007-3051
链接:http://www.frsirt.com/english/advisories/2007/3051
来源: DEBIAN
名称: DSA-1368
链接:http://www.debian.org/security/2007/dsa-1368
来源: DEBIAN
名称: DSA-1367
链接:http://www.debian.org/security/2007/dsa-1367
来源: web.mit.edu
链接:http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt
来源: support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2007-396.htm
来源: SUNALERT
名称: 103060
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-103060-1
来源: GENTOO
名称: GLSA-200710-01
链接:http://security.gentoo.org/glsa/glsa-200710-01.xml
来源: SECUNIA
名称: 27081
链接:http://secunia.com/advisories/27081
来源: SECUNIA
名称: 27043
链接:http://secunia.com/advisories/27043
来源: SECUNIA
名称: 26987
链接:http://secunia.com/advisories/26987
来源: SECUNIA
名称: 26896
链接:http://secunia.com/advisories/26896
来源: SECUNIA
名称: 26822
链接:http://secunia.com/advisories/26822
来源: SECUNIA
名称: 26792
链接:http://secunia.com/advisories/26792
来源: SECUNIA
名称: 26783
链接:http://secunia.com/advisories/26783
来源: SECUNIA
名称: 26728
链接:http://secunia.com/advisories/26728
来源: SECUNIA
名称: 26713
链接:http://secunia.com/advisories/26713
来源: SECUNIA
名称: 26705
链接:http://secunia.com/advisories/26705
来源: SECUNIA
名称: 26700
链接:http://secunia.com/advisories/26700
来源: SECUNIA
名称: 26699
链接:http://secunia.com/advisories/26699
来源: SECUNIA
名称: 26697
链接:http://secunia.com/advisories/26697
来源: SECUNIA
名称: 26691
链接:http://secunia.com/advisories/26691
来源: SECUNIA
名称: 26684
链接:http://secunia.com/advisories/26684
来源: SECUNIA
名称: 26680
链接:http://secunia.com/advisories/26680
来源: SECUNIA
名称: 26676
链接:http://secunia.com/advisories/26676
来源: MLIST
名称: [security-announce] 20070906 rPSA-2007-0179-2 k