Multiple Vendor Kerberos 4 Temporary File Race Condition Vulnerability

Kerberos is a widely used network service authentication system. Several implentations of Kerberos, including KTH Kerberos 4, MIT Kerberos 4, MIT Kerberos 5, Kerbnet (Cygnus Kerberos 5), and Cygnus Network Security (Cygnus Kerberos 4) contains a local /tmp race condition vulnerability that may result in a denial of service.

The Kerberos system, when creating tickets, uses temporary files in the /tmp directory. The names of these files are predictable and can be anticipated by attackers. If a symbolic link were to exist in /tmp with a correctly guessed filename when Kerberos is creating tickets, the symbolic link would be followed and whatever it pointed to would be written to. The target file pointed to by the symbolic link would be written to as root.

If a system-critical file were to be overwritten/corrupted, a denial of service may occur. Due to the fact that files are overwritten with normal Kerberos 4 ticket information, the possibility of exploitation to gain full root access is remote.


 

Privacy Statement
Copyright 2010, SecurityFocus