First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 113741
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Fredrik Tolf <fredrik@dolda2000.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
kerb-fcc-deref.patch.1 Fix for the bug patch Fredrik Tolf 2005-12-02 17:53 0000 448 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 113741 depends on: Show dependency tree
Show dependency graph
Bug 113741 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-11-27 13:28 0000 
In the latest Gentoo release of mit-krb5, ksu doesn't clean up its created
credentials cache upon exit, leaving them in /tmp indefinitely (until tmpwatch
runs). When I ran strace on a running ksu process, this is what happens:

# cat -A strace/ksu 
waitpid(22104, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WSTOPPED) = 22104$
--- SIGCHLD (Child exited) @ 0 (0) ---$
setresuid32(-1, 0, -1)                  = 0$
setresuid32(-1, 0, -1)                  = 0$
stat64("M- ^C^B^A^I^A", 0xbfe761bc)            = -1 ENOENT (No such file or
directory)$
exit_group(0)                           = ?$

I used cat -A to make sure that the control characters in the stat call are
showing. That's an obvious sign of memory corruption, if you ask me. Since ksu
is a SUID root program and it corrupts memory, I'm kind of worried that this
might turn out to be an exploitable bug.

It seems that this problem is limited to Gentoo, since I haven't ever seen it
happen on other distros (including Fedora Core 4 and Ubuntu 5.10). It also
happens on all my Gentoo machines (I have three of them running the latest
mit-krb5 release so far), so it's not just a isolated event.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-11-27 13:52:28 0000 ------- 
Auditors, please confirm...

------- Comment #2 From Fredrik Tolf 2005-12-02 17:47:53 0000 ------- 
I took the time to debug this, and I found that this was indeed a bug, and that
it was also linked to another bug I had.

The bug was in src/lib/krb5/ccache/cc_file.c, in the dereference() function,
where there is a line like this:
    for (fccsp = &fccs; *fccsp == NULL; fccsp = &(*fccsp)->next)

Obviously, the loop condition shouldn't be "*fccsp == NULL", but "*fccsp !=
NULL". This leads to that the library frees the wrong ccache occasionally
(recurringly in ksu). Therefore, it is a matter of premature freeing of memory,
which may or may not be exploitible.

In any case, the bug is fixed in Kerberos 1.4.3, which, however, hasn't been
released in Gentoo.

If there are no plans to release 1.4.3 in Gentoo anytime soon, I think this bug
should at least be patched, since it not only is a potential security problem,
but also causes a number of other problems:
 * When using ksu, more and more ccache files will gather in /tmp.
 * When using ksu, the source ccache file isn't closed and might remain read
locked, which will cause processes that want to write lock the ccache to sleep
until ksu exits.
 * Might cause programs to segfault. I find it quite strange that lots of
programs haven't already segfaulted left and right, considering that this bug is
freeing the wrong memory. I guess most only keep one ccache file open at a time.

------- Comment #3 From Fredrik Tolf 2005-12-02 17:52:06 0000 ------- 
I also realize now that since the source ccache file isn't being closed, it can
lead to the following situation:

User A ksus to user B. User A doesn't fully trust user B, so he runs kdestroy to
make sure that user B can't get hold of his TGT. However, unknowingly to user A,
ksu never closed the source ccache fd, which means that his shell, running as
user B, inherited that fd. User B can now ptrace the shell process and make it
read user A's TGT. User B can now impersonate user A.

This might not be a very common situation, but it isn't exactly impossible either.

------- Comment #4 From Fredrik Tolf 2005-12-02 17:53:59 0000 ------- 
Created an attachment (id=73966) [edit]
Fix for the bug

This patch fixes the bug. Apply with -p1 in the src directory.

------- Comment #5 From rob holland (RETIRED) 2005-12-18 13:05:59 0000 ------- 
fix is good, can't comment on exploitability, my knowledge of the usage isn't
good enough.

------- Comment #6 From Sune Kloppenborg Jeppesen 2006-01-02 13:16:46 0000 ------- 
kerberos please advise.

------- Comment #7 From Seemant Kulleen (RETIRED) 2006-01-31 10:26:46 0000 ------- 
I'd prefer that upstream advised on this issue. Frederick, have you notified
upstream of this? If not, I'll be contacting them this afternoon.

------- Comment #8 From Fredrik Tolf 2006-01-31 11:55:41 0000 ------- 
Upstream has already fixed this bug in later releases of Kerberos. It's just
that while MIT has released Kerberos 1.4.3, Gentoo still only ships 1.4.1.
Thus, it is safe to say that upstream is aware of and has acknowledged this as
a bug.

------- Comment #9 From Seemant Kulleen (RETIRED) 2006-02-16 08:35:21 0000 ------- 
1.4.3 in portage, marked as ~  when that goes stable, I'll put in a version for
~ which should fix some of the other bugs people are seeing. For the purposes
of security, the 1.4.3 ebuild now in should do.

------- Comment #10 From Tavis Ormandy (RETIRED) 2006-02-16 08:43:14 0000 ------- 
seemant has committed app-crypt/mit-krb5-1.4.3 to address this issue, moving in
to vulnerabilities for arch stabilisation.

------- Comment #11 From Thierry Carrez (RETIRED) 2006-02-16 10:33:23 0000 ------- 
Calling arches

------- Comment #12 From Gustavo Zacarias (RETIRED) 2006-02-16 12:18:50 0000 ------- 
sparc stable.

------- Comment #13 From Markus Rothe 2006-02-16 12:40:28 0000 ------- 
ppc64 stable

------- Comment #14 From René Nussbaumer 2006-02-16 13:30:20 0000 ------- 
Stable on hppa

------- Comment #15 From Joe Jezak 2006-02-17 09:21:31 0000 ------- 
Marked ppc stable.

------- Comment #16 From Joshua Jackson 2006-02-17 19:24:26 0000 ------- 
x86 stable

------- Comment #17 From Bryan Østergaard (RETIRED) 2006-02-18 04:23:44 0000 ------- 
Stable on alpha + ia64.

------- Comment #18 From Joshua Kinard 2006-02-19 19:06:03 0000 ------- 
mips stable.

------- Comment #19 From Simon Stelling (RETIRED) 2006-02-22 12:43:23 0000 ------- 
amd64 finally stable, sorry for the delay

------- Comment #20 From Thierry Carrez (RETIRED) 2006-02-22 13:17:27 0000 ------- 
Ready for GLSA vote

------- Comment #21 From Stefan Cornelius (RETIRED) 2006-02-23 12:02:38 0000 ------- 
Mhhhh, suid root and memory corruption ... i think it's better to have one, so
a weak yes.

------- Comment #22 From Thierry Carrez (RETIRED) 2006-02-23 12:04:03 0000 ------- 
If it was sufficiently exploitable upstream would have had an advisory. I vote
no.

------- Comment #23 From Tavis Ormandy (RETIRED) 2006-03-05 11:31:58 0000 ------- 
It's been fixed and we dont have any evidence that it is exploitable, so I
would say no need to issue a glsa, weak NO.

------- Comment #24 From Fredrik Tolf 2006-03-05 12:15:55 0000 ------- 
#23, it is definitely exploitable, as I showed in #3 (I tried it myself).
That's a rather weak exploit, admittedly, but an exploit nonetheless.

------- Comment #25 From Thierry Carrez (RETIRED) 2006-03-06 09:38:44 0000 ------- 
Closing, feel free to reopen if you indended to vote yes.
First Last Prev Next    No search results available      Search page      Enter new bug