Date: Sat, 20 Apr 2002 11:05:28 -0500 From: "Jacques A. Vidrine" <nectar@freebsd.org> To: Markus =?iso-8859-1?Q?Hallstr=F6m?= <tubbs@freebsd.se> Cc: freebsd-security@freebsd.org Subject: Does not affect FreeBSD (was Re: new openSSH hole?) Message-ID: <20020420160528.GJ27108@madman.nectar.cc> In-Reply-To: <1019256213.3cc09d9554210@mail.freebsd.se> References: <1019256213.3cc09d9554210@mail.freebsd.se>
next in thread | previous in thread | raw e-mail | index | archive | help
FreeBSD is not affected. This code is only built in environments which support AFS. Neither the OpenSSH in the base system nor in the ports collection can be built with AFS unless (a) you have AFS from somewhere, and (b) you manually hack the configuration to enable AFS. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se On Sat, Apr 20, 2002 at 12:43:33AM +0200, Markus Hallström wrote: > This just showed up on vuln-dev > > On Fri, 2002-04-19 at 15:48, Marcell Fodor wrote: > > > > > > The bug affects servers offering Kerberos TGT > > and/or AFS Token passing. The vulnerability can lead > > to a root compromise. > > > > more : mantra.freeweb.hu > > > > Marcell Fodor > > > > on http://mantra.freeweb.hu I get the following information > > 18.04.2002 > security bug report: > > > OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow. > The bug affects servers offering Kerberos TGT and/or AFS Token passing. > The vulnerability can lead to a root compromise. > > bug details: > > radix.c > GETSTRING macro in radix_to_creds function may cause buffer overflow. > affected buffers: > > creds->service > creds->instance > creds->realm > creds->pinst > > user can exploit the vulnerability by sending malformed request for: > > 1. pass Kerberos IV TGT > 2. pass AFS Token > > > For security considerations the CREDENTIALS structure is erased at the end of > the auth_krb4_tgt function (auth_krb4.c). This makes code injection impossible at > the first look, since the user supplied code is cleared. > Well, it's all there! Check the temp[] buffer in radix_to_creds() function. This is > the place, where the server decoded the ticket. > > It should be considered in further versions to clear the temp buffer prior > returning from the radix_to_creds function. > > > > Is this known? should I worry? > -- > /Markus > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020420160528.GJ27108>