From owner-freebsd-security Fri Apr 19 15:32:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd.se (h50n2fls33o898.telia.com [217.208.118.50]) by hub.freebsd.org (Postfix) with ESMTP id 6C2EA37B400 for ; Fri, 19 Apr 2002 15:32:43 -0700 (PDT) Received: by mail.freebsd.se (Postfix, from userid 65534) id 74337194FEA; Sat, 20 Apr 2002 00:43:33 +0200 (CEST) Received: from 192.168.0.2 ( [192.168.0.2]) as user tubbs@localhost by mail.freebsd.se with HTTP; Sat, 20 Apr 2002 00:43:33 +0200 Message-ID: <1019256213.3cc09d9554210@mail.freebsd.se> Date: Sat, 20 Apr 2002 00:43:33 +0200 From: =?ISO-8859-1?B?TWFya3VzIEhhbGxzdHL2bQ==?= To: freebsd-security@freebsd.org Subject: new openSSH hole? MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 / FreeBSD-4.5 X-Originating-IP: 192.168.0.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This just showed up on vuln-dev On Fri, 2002-04-19 at 15:48, Marcell Fodor wrote: > > > The bug affects servers offering Kerberos TGT > and/or AFS Token passing. The vulnerability can lead > to a root compromise. > > more : mantra.freeweb.hu > > Marcell Fodor > on http://mantra.freeweb.hu I get the following information 18.04.2002 security bug report: OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow. The bug affects servers offering Kerberos TGT and/or AFS Token passing. The vulnerability can lead to a root compromise. bug details: radix.c GETSTRING macro in radix_to_creds function may cause buffer overflow. affected buffers: creds->service creds->instance creds->realm creds->pinst user can exploit the vulnerability by sending malformed request for: 1. pass Kerberos IV TGT 2. pass AFS Token For security considerations the CREDENTIALS structure is erased at the end of the auth_krb4_tgt function (auth_krb4.c). This makes code injection impossible at the first look, since the user supplied code is cleared. Well, it's all there! Check the temp[] buffer in radix_to_creds() function. This is the place, where the server decoded the ticket. It should be considered in further versions to clear the temp buffer prior returning from the radix_to_creds function. Is this known? should I worry? -- /Markus ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message