Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Markus Hallströ (tubbsfreebsd.se)
Date: Fri Apr 19 2002 - 17:43:33 CDT
This just showed up on vuln-dev
On Fri, 2002-04-19 at 15:48, Marcell Fodor wrote:
> The bug affects servers offering Kerberos TGT
> and/or AFS Token passing. The vulnerability can lead
> to a root compromise.
> more : mantra.freeweb.hu
> Marcell Fodor
on http://mantra.freeweb.hu I get the following information
security bug report:
OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow.
The bug affects servers offering Kerberos TGT and/or AFS Token passing.
The vulnerability can lead to a root compromise.
GETSTRING macro in radix_to_creds function may cause buffer overflow.
user can exploit the vulnerability by sending malformed request for:
1. pass Kerberos IV TGT
2. pass AFS Token
For security considerations the CREDENTIALS structure is erased at the end of
the auth_krb4_tgt function (auth_krb4.c). This makes code injection impossible at
the first look, since the user supplied code is cleared.
Well, it's all there! Check the temp buffer in radix_to_creds() function. This is
the place, where the server decoded the ticket.
It should be considered in further versions to clear the temp buffer prior
returning from the radix_to_creds function.
Is this known? should I worry?
------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message