mit-krb5 uninitialized vulnerability [Security Advisory] Advisory: [AD_LAB-07010] mit-krb5 uninitialized vulnerability Class: implementation Error DATE:11/8/2007 CVEID:CVE-2007-5894 Vulnerable: ALL Vendor: MIT I.Synopsis A vulnerability has been discovered in gssftp's ftpd included in mit-krb5. II.DETAILS: ---------- Background The gssftp's ftpd is a kerberized FTP server , that can be authenticated with Kerberos 5. Description There is a uninitialized vulnerability in function reply() in ftpd.c. void reply(int n, char *fmt, ...) { ... (1) int length, kerror; <---- declared length without initializer if (n) sprintf(in, "%d%c", n, cont_char); else in[0] = '\0'; strncat(in, buf, sizeof (in) - strlen(in) - 1); #ifdef KRB5_KRB4_COMPAT if (strcmp(auth_type, "KERBEROS_V4") == 0) { if (clevel == PROT_P) length = krb_mk_priv((unsigned char *)in, (unsigned char *)out, strlen(in), schedule, &kdata.session, &ctrl_addr, &his_addr); else length = krb_mk_safe((unsigned char *)in, (unsigned char *)out, strlen(in), &kdata.session, &ctrl_addr, &his_addr); if (length == -1) { syslog(LOG_ERR, "krb_mk_%s failed for KERBEROS_V4", clevel == PROT_P ? "priv" : "safe"); fputs(in,stdout); } } else #endif /* KRB5_KRB4_COMPAT */ #ifdef GSSAPI /* reply (based on level) */ if (strcmp(auth_type, "GSSAPI") == 0) { gss_buffer_desc in_buf, out_buf; OM_uint32 maj_stat, min_stat; int conf_state; in_buf.value = in; in_buf.length = strlen(in); maj_stat = gss_seal(&min_stat, gcontext, clevel == PROT_P, /* private */ GSS_C_QOP_DEFAULT, &in_buf, &conf_state, &out_buf); if (maj_stat != GSS_S_COMPLETE) { #if 0 /* Don't setup an infinite loop */ /* generally need to deal */ secure_gss_error(maj_stat, min_stat, (clevel==PROT_P)? "gss_seal ENC didn't complete": "gss_seal MIC didn't complete"); #endif /* 0 */ } else if ((clevel == PROT_P) && !conf_state) { #if 0 /* Don't setup an infinite loop */ secure_error("GSSAPI didn't encrypt message"); #endif /* 0 */ } else { memcpy(out, out_buf.value, length=out_buf.length); gss_release_buffer(&min_stat, &out_buf); } } #endif /* GSSAPI */ /* Other auth types go here ... */ (2) if (length >= sizeof(in) / 4 * 3) { <------using uninitialized length at (1) declared length without initializer, if it's other auth types will use the uninitialized variable in (2) . Impact Reading uninitialized variables can result in unpredictable behavior, crashes, or security holes. III.CREDIT: ---------- Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service Reproducible: Always
*** Bug 199211 has been marked as a duplicate of this bug. ***
*** Bug 199212 has been marked as a duplicate of this bug. ***
*** Bug 199214 has been marked as a duplicate of this bug. ***
ok, now we only have one bug to handle. kerberos, please advise.
Venustech, could you please make the reserved CVE descriptions public?
we are waiting the vendor's response. maybe still need several days. vendor did not reply our email.
we public the adv in fd. http://seclists.org/fulldisclosure/2007/Dec/0176.html
See $URL for a reply from the Kerberos upstream.
CVE-2007-5894 was disputed as not actually a bug. All the other vulnerabilities might occur, but only under very marginal circumstances. I believe we should continue tracking these issues and bump as soon as upstream releases a fixed version. No need to mask though.
Please find the patches for the mentioned vulnerabilities below: CVE-2007-5894: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20182&view=rev CVE-2007-5902: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20181&view=rev CVE-2007-5971: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20180&view=rev CVE-2007-5971: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20178&view=rev CVE-2007-5972: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20179&view=rev
Fixed by jokey in app-crypt/mit-krb5-1.6.3-r1, which... already is stable.
Sent as GLSA 200803-31 Please note that per the reply of MIT upstream, these patches were merged, but they are not considered vulnerabilities: > CVE-2007-5894: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20182&view=rev > CVE-2007-5902: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20181&view=rev > CVE-2007-5972: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20179&view=rev These are considered vulnerabilities and were mentioned in the GLSA: > CVE-2007-5971: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20180&view=rev > CVE-2007-5971: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20178&view=rev whereas the last one is actually CVE-2007-5901.