Date: Sat, 20 Apr 2002 00:43:33 +0200 From: =?ISO-8859-1?B?TWFya3VzIEhhbGxzdHL2bQ==?= <tubbs@freebsd.se> To: freebsd-security@freebsd.org Subject: new openSSH hole? Message-ID: <1019256213.3cc09d9554210@mail.freebsd.se>
next in thread | raw e-mail | index | archive | help
This just showed up on vuln-dev On Fri, 2002-04-19 at 15:48, Marcell Fodor wrote: > > > The bug affects servers offering Kerberos TGT > and/or AFS Token passing. The vulnerability can lead > to a root compromise. > > more : mantra.freeweb.hu > > Marcell Fodor > on http://mantra.freeweb.hu I get the following information 18.04.2002 security bug report: OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow. The bug affects servers offering Kerberos TGT and/or AFS Token passing. The vulnerability can lead to a root compromise. bug details: radix.c GETSTRING macro in radix_to_creds function may cause buffer overflow. affected buffers: creds->service creds->instance creds->realm creds->pinst user can exploit the vulnerability by sending malformed request for: 1. pass Kerberos IV TGT 2. pass AFS Token For security considerations the CREDENTIALS structure is erased at the end of the auth_krb4_tgt function (auth_krb4.c). This makes code injection impossible at the first look, since the user supplied code is cleared. Well, it's all there! Check the temp[] buffer in radix_to_creds() function. This is the place, where the server decoded the ticket. It should be considered in further versions to clear the temp buffer prior returning from the radix_to_creds function. Is this known? should I worry? -- /Markus ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1019256213.3cc09d9554210>