KTH Kerberos 4 User-Supplied Configuration Files Vulnerability
Kerberos is a widely used network service authentication system. The version of Kerberos developed and maintained by KTH (Swedish Royal Institute of Technology) contains a vulnerability in its use of a user-supplied environment variable that may allow a malicious user with local access to elevate privileges.
The environment variable, KRBCONFDIR, is used by Kerberos-enabled services to specify the directory in which KTH Kerberos 4 configuration files are located. For security reasons, this variable is not used when the authenticating process is setuid (the effective privileges do not match the real privileges) because the value is assumed to be user-definable. This is to prevent users from supplying malicious Kerberos config files.
Unfortunately the method of checking the effective uid against the real uid is flawed in the case of telnet. When telnetting to a host, login is spawned with effective and real uid 0 privileges, making any such security check successful by default. It is also possible to import environment variables to telnet servers (and eventually, to login), such as KRBCONFDIR, via the telnet protocol.
Consequently, if a user has local access to the target host (or a way to upload files to a known location on the target host), the login program (spawned by a telnet server) can be tricked into using malicious KTH Kerberos 4 configuration files.
An arbitrary Kerberos server can be specified in these configuration files. With login using a malicious Kerberos server under an attackers control, the attacker can succesfully authenticate when logging in as any user (except root in configuration dependent situations where remote root logins are not permitted by default). This can lead to a compromise of root access or privileges that may lead to root access on the target host.
It should be noted that Kerberos services perform extra check to ensure they are communicating with the correct Kerberos server using a secret key. Unfortunately, this key is stored in the directory defined by KRBCONFDIR and can also be attacker-supplied.