KTH Kerberos 4 Buffer Overflow Vulnerability

Kerberos is a widely used network service authentication system. The version of Kerberos developed and maintained by KTH (Swedish Royal Institute of Technology) contains a buffer overflow vulnerability that may allow/assist in a local or remote root compromise.

When a service using KTH Kerberos 4 recieves a response from a Kerberos server during the authentication process, it performs a memory copy of data contained within the packet to a buffer of predefined size on the process' stack. The amount of data to be copied is supplied externally, in the response packet. If this length value is greater than the number of bytes allocated for the destination buffer, a stack overflow can occur when the copy is performed.

It may be possible for an attacker to exploit this and gain root access on the host running the Kerberos-enabled service in the traditional buffer overflow manner. In order to do so, the attacker would have to have control of the Kerberos server for the target host or be able to send malicious malformed replies. The latter may be possible with the aid of another vulnerability in KTH Kerberos 4, allowing unauthenticated remote clients to specify a proxy server for the Kerberos Server (see Bugtraq ID 2090).


Privacy Statement
Copyright 2010, SecurityFocus