Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 74449 - app-crypt/mit-krb5: heap overflow
Summary: app-crypt/mit-krb5: heap overflow
Status: RESOLVED DUPLICATE of bug 75143
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [ebuild]
Depends on:
Reported: 2004-12-14 23:45 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-12-26 22:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-14 23:45:40 UTC
The MIT Kerberos Development Team is aware of the following
vulnerability in the MIT krb5 software.  Please do not publicly
disseminate this information prior to our public disclosure.  We
expect to produce patches and a public advisory within the next week
-- probably before 21 December 2004.  Accelerated release timeline is
due to prior public discussion of the bug.

Please let me know if you have any comments on this draft advisory.


                 MIT krb5 Security Advisory 2004-004

Original release: 2004-12-xx

Topic: heap buffer overflow in libkadm5srv

Severity: serious

[ NOTE: This vulnerability has been already discussed on a public
mailing list, in sufficient detail for someone to infer how to perform
an attack.  For this reason, patches and advisory will be published as
soon as they are ready, with minimal coordination.  We anticipate
releasing patches and the public advisory within a week -- probably
before 21 December 2004. ]


The MIT Kerberos 5 administration library (libkadm5srv) contains a
heap buffer overflow in password history handling code which could be
exploited to execute arbitrary code on a Key Distribution Center (KDC)
host.  The overflow occurs during a password change of a principal
with a certain password history state.  An administrator must have
performed a certain password policy change in order to create the
vulnerable state.  (See MITIGATING FACTORS below.)

No exploits are known to exist at this time, though a public
discussion of the bug took place during the first weeks of December
2004, containing sufficient detail that someone could infer how to
perform an attack.  Exploitation of this vulnerability is believed to
be difficult, due to the limited extent of the overflow.


An authenticated user, not necessarily one with administrative
privileges, could execute arbitrary code on the KDC host, compromising
an entire Kerberos realm.  [CAN-2004-1189]


* Typically, only a principal satisfying the following conditions can
  trigger the buffer overflow upon password change:

  + have changed its password fewer times than the history count in
    its password policy

  + had its password policy's history count subsequently reduced to
    equal the number of times it has changed its password

* There are other means of producing the vulnerable state, though they
  are significantly more complex and much less likely.  All of these
  other methods involve a reduction of the password history count in a
  password policy.

* A workaround exists (see FIXES).


* KDC software on all releases of MIT krb5, up to and including
  krb5-1.3.5.  The vulnerable library is libkadm5srv.  Programs which
  use the vulnerable functionality of the library include:

  + kadmind (administration daemon)

  + kadmin.local (KDC-local administration client)

  + kadmind4 (krb4 compatibility administration daemon)


* WORKAROUND: Until your KDC programs and libraries have been patched,
  do not decrease the password history count on any policy in your
  Kerberos realm.

* The upcoming krb5-1.4 release will contain fixes for this problem.

* The upcoming krb5-1.3.6 patch release will contain fixes for this

* Patches are in development.


This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:

CVE CAN-2004-1189:

        Administration library in MIT Kerberos 5 release 1.3.5 and
        earlier has a heap buffer overflow in code which handles
        password history, possibly allowing authenticated attackers to
        execute arbitrary code on a KDC host.


Thanks to Michael Tautschnig for reporting this problem.

Thanks to Chaskiel Grundman and Luke Howard for providing debugging
help on the mailing list.


The vulnerable function is add_to_history() in
src/lib/kadm5/srv/svr_principal.c.  The password history is stored as
a ring buffer, represented as an array of osa_pw_ent_rec, which is
adb->old_keys.  The "next" pointer is an index into the array,
adb->old_key_next, and the length of the array is stored in
adb->old_key_len.  The array is dynamically resized as needed, and
there is no separate head pointer.

The policy's history count is stored in pol->pw_hist_num, but the
actual maximum number of keys stored in adb->old_keys is
pol->pw_hist_num-1, since the "current" key data are also used for
history comparisons when a password change occurs.

The index value adb->old_key_next is permitted to index to a position
one past the end of the array adb->old_keys if adb->old_key_next is
less than pol->pw_hist_num-1.  This out-of-bounds indexing is usually
fixed up when add_to_history() enlarges the array on a subsequent

If pol->pw_hist_num is reduced to adb->old_key_next after a password
change that causes adb->old_key_next to index out of bounds, a
subsequent password change will not run the resizing code, and
add_to_history() will write a password history entry past the end of
the array adb->old_keys.


2004-12-xx      original release

Copyright (C) 2004 Massachusetts Institute of Technology
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-20 15:41:38 UTC
This issue is now public.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-12-20 15:43:50 UTC
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-12-20 15:45:13 UTC
aliz/rphillips, please apply patch.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 01:58:48 UTC
Followups to public bug 75143

*** This bug has been marked as a duplicate of 75143 ***