OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC
From: Mike Friedman (mikefACK.BERKELEY.EDU)
Date: Fri Jun 09 2000 - 16:15:39 CDT

On Fri Jun 9 12:08:59 2000, Tom Yu said:

> MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC

Tom,

I notice that an earlier patch (see below) to the kerberos_v4.c module
wasn't incorporated into this patch for 1.0.x. The earlier problem would
allow any user, anywhere, to crash a KDC by just constructing a V4 AS
request for a principal containing a string of '%s's. I applied the fix
for that some time ago on my system, but I don't see it in the new patch.
(Fortunately, it's just a change to one line of code, so it shouldn't mess
up the line sequencing for applying this new patch).

That fix *has* been carried forward in the new 1.1.1 patch; unfortunately
I'm still running 1.0.6!

Mike

=============
*** kerberos_v4.c.orig Mon May 10 20:35:13 1999
--- kerberos_v4.c Tue Jul 13 08:41:28 1999
***************
*** 253,259 ****
      case L_APPL_REQ:
        strcpy(log_text, "PROCESS_V4:");
        vsprintf(log_text+strlen(log_text), format, pvar);
! krb5_klog_syslog(logpri, log_text);
      /* ignore the other types... */
      }
      va_end(pvar);
--- 253,259 ----
      case L_APPL_REQ:
        strcpy(log_text, "PROCESS_V4:");
        vsprintf(log_text+strlen(log_text), format, pvar);
! krb5_klog_syslog(logpri, "%s", log_text);
      /* ignore the other types... */
      }
      va_end(pvar);

----------------------------------------------------------------------------
Mike Friedman mikefack.Berkeley.EDU
Communication & Network Services +1-510-642-1410
University of California at Berkeley http://ack.Berkeley.EDU/~mikef
----------------------------------------------------------------------------