about the latest developments in security every month
in Security Watch
OVERFLOW IN KERBEROS ADMINISTRATION DAEMON
Kerberos is a widely used network protocol that uses
strong cryptography to authenticate clients and servers.
The Kerberos administration daemon (typically called
kadmind) handles password change and other requests
to modify the Kerberos database. The daemon runs on
the master Key Distribution Center (KDC) server of a
The code that provides legacy support for the Kerberos
4 administration protocol contains a remotely exploitable
buffer overflow. The vulnerable code does not adequately
validate data read from a network request. This data
is subsequently used as an argument to a memcpy() call,
which can overflow a buffer allocated on the stack.
An attacker does not have to authenticate in order to
exploit this vulnerability, and the Kerberos administration
daemon runs with root privileges.
An unauthenticated, remote attacker could execute arbitrary
code with root privileges. If an attacker is able to
gain control of a master KDC, the integrity of the entire
Kerberos realm is compromised, including user and host
identities and other systems that accept Kerberos authentication.
MIT Kerberos version 4 and version 5 up to and including
KTH eBones prior to version 1.2.1 and KTH Heimdal
prior to version 0.5.1
Other Kerberos implementations derived from vulnerable
MIT or KTH code
Apply the appropriate patch or upgrade as specified
by your vendor. Disable support for the Kerberos 4 administration
protocol if it is not needed. In KTH Heimdal, it is
necessary to recompile kadmind in order to disable support
for the Kerberos 4 administration protocol. For information
about disabling all Kerberos 4 support in KTH Heimdal
at compile time, see http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing
Block access to the Kerberos administration service
from networks like the Internet. Allow access to the
service from trusted administrative hosts. By default,
the Kerberos 4 administration daemon listens on 751/tcp
and 751/udp, and the Kerberos 5 administration daemon
listens on 749/tcp and 749/udp. It may be necessary
to block access to the Kerberos 5 administration service
if the daemon also supports the Kerberos 4 administration
Apple Computer, Inc.
The Kerberos Administration Daemon was included in Mac
OS X 10.0, but removed in Mac OS X 10.1 and later.
The IBM pSeries Parallel Systems Support Programs (PSSP)
implementation of Kerberos V4 (shipped with PSSP) is
potentially vulnerable to the Kerberos V4 administration
daemon buffer overflow.
The IBM Network Authentication Service (NAS) product
is not vulnerable to the buffer overflow vulnerability
in the kadmind4 daemon.
Microsoft's implementation of Kerberos is not affected
by this vulnerability.
MIT has released MIT krb5 Security Advisory 2002-002
that includes a patch and a description of an attack
signature and can be accessed at web.mit.edu
NetBSD has released NetBSD-SA2002-026: ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc
OpenBSD has released Security Fix 016 for OpenBSD 3.1
and Security Fix 033 for OpenBSD 3.0.
CISCO WARNS OF FLAW IN CATOS
A flaw has been discovered in the embedded HTTP server
used by the CatOS software in Cisco's Catalyst switches.
If the HTTP server is enabled a buffer overflow can
be remotely exploited which will cause the switch to
fail and reload. The vulnerability can be exploited
repeatedly and result in a denial of service.
If the HTTP server is enabled on a Cisco Catalyst switch
running an affected CiscoView image, an overly long
HTTP query can be received by the embedded HTTP server
that will cause a buffer overflow and result in a software
reset of the switch. Once the switch has recovered and
has resumed normal processing it is vulnerable again.
It remains vulnerable until the HTTP server is disabled.
This vulnerability is only present in Cisco Catalyst
switches running Cisco CatOS software versions 5.4 through
7.3 that contain an embedded HTTP server to support
CiscoView network management software. The affected
software images contain "cv" in the image
name as seen here: cat6000-supcv.5-5-16.bin.
The exploitation of this issue can result in a software
forced reset of this device. Repeated exploitation may
lead to a denial of service until the workaround for
this vulnerability has been implemented or a fixed version
of software has been loaded onto the device.
Disable the HTTP server on the Cisco switch.
example shows how to disable the HTTP server:
Console (enable) set ip http server disable
HTTP server disabled.
The default setting for the HTTP server is disabled.
Users can also choose to block access to port 80 for
their Cisco switch. This can be done with any device
with traffic filtering capabilties.
Upgrades available at the Software Center on Cisco's
worldwide website at http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml
For more, go to: http://www.cisco.com/warp/public/707/catos-http-overflow-vuln.shtml
MACROMEDIA JRUN BUFFER OVERFLOW VULNERABILITY
Due to insufficient bounds checking of URLs in incoming
Web requests Macromedia JRun is prone to a remotely
exploitable buffer overflow condition. The exploitation
may allow a remote attacker to execute arbitrary code
with the JRun server process.
This issue is specific to JRun running on Microsoft
IBM AIX 4.2/4.3
Microsoft IIS 4.0/5.0/5.1
Microsoft Windows 2000 Workstation/SP1/SP2
Microsoft Windows 95/98
Microsoft Windows NT 4.0/SP1-SP6a
RedHat Linux 6.0/6.1 (i386/alpha/sparc)
SGI IRIX 6.5
Sun Solaris 2.6/7.0/8.0
Macromedia JRun 3.0/3.1/4.0
Block external access to the server at the network boundary;
allow access only if service is required by external
network traffic at border routers and network firewalls.
network intrusion detection systems (NIDS) to monitor
network traffic for malicious activity. Audit
NIDS and Web server logs for signs of malicious network
activity. Run all server processes as non-privileged
users with minimal access rights. Patches to address
this issue are available at www.macromedia.com