Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

NetBSD Security Advisory 2002-026: Buffer overflow in kadmind daemon
From: NetBSD Security Officer <security-officer () netbsd org>
Date: Mon, 21 Oct 2002 19:32:15 -0400 (EDT)


-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2002-026
                 =================================

Topic:          Buffer overflow in kadmind daemon

Version:        NetBSD-current: source prior to October 21 2002
                NetBSD-1.6:     affected
                NetBSD-1.5.3:   affected
                NetBSD-1.5.2:   affected
                NetBSD-1.5.1:   affected
                NetBSD-1.5:     affected
                NetBSD-1.4.*:   not affected

Severity:       remote buffer overflow, resulting in root exploit

Fixed:          NetBSD-current:         October 22, 2002
                NetBSD-1.6 branch:      October 22, 2002
                NetBSD-1.5 branch:      October 22, 2002


Abstract
========

Kadmind is the server for administrative access to kerberos database,
and comes from the Heimdal Kerberos implementation used by NetBSD.  In
Heimdal releases earlier than 0.5.1 kadmind has a buffer overflow in
the kerberos version 4 compatibility code.

The kadmind daemon has never been enabled by default in NetBSD;
enabling it would require a change in /etc/inetd.conf.


Technical Details
=================

All versions prior to Heimdal 0.5.1 and 0.4enb1 are vulnerable.  NetBSD
1.5, 1.6, and -current (prior to October 21, 2002) ship with a vulnerable
version.

The problem is a buffer overflow in the kerberos version 4 compatibility layer
of kadmind.

See also: http://www.pdc.kth.se/heimdal/


Solutions and Workarounds
=========================

For most users this is not a vital service and is likely not enabled.
The only user of kadmin should be the kdc in a kerberos
realm.  Since the security of the kerberos server very important,
kadmind must be disabled until upgraded.

* NetBSD all releases:

        Check that you don't have kadmind in your /etc/inetd.conf.

        # grep kadmind /etc/inetd.conf

        If kadmind is enabled, disable it by commenting out its entry and
        reloading inetd:

        # /etc/rc.d/inetd reload

        Check that kadmind is not running as a service

        # ps axlwww | grep kadmind

        If kadmind is running, kill it:

        # kill <process id of kadmind>

* NetBSD-current:

        Systems running NetBSD-current dated from before 2002-Oct-22 should
        be upgraded to NetBSD-current dated 2002-Oct-22 or later.  The fix
        is included in crypto/dist/heimdal/kadmin/version4.c, revision 1.2.

        The following directory needs to be updated from the netbsd-current
        CVS branch (aka HEAD):
                crypto/dist/heimdal/kadmin

        To update from CVS, re-build, and re-install kadmind(8):
                # cd src
                # cvs update -d -P crypto/dist/heimdal
                # cd libexec/kadmind
                # make cleandir dependall
                # make install

* NetBSD 1.6:

        The following directory needs to be updated from the 
        netbsd-1-6 CVS branch:
                crypto/dist/heimdal/kadmin

        To update from CVS, re-build, and re-install kadmind(8):

                # cd src
                # cvs update -d -P -r netbsd-1-6 crypto/dist/heimdal/kadmin
                # cd libexec/kadmind
                # make cleandir dependall
                # make install

* NetBSD 1.5:

        The following directory needs to be updated from the
        netbsd-1-5 CVS branch:
                crypto/dist/heimdal/kadmin

        To update from CVS, re-build, and re-install kadmind(8):

                # cd src 
                # cvs update -d -P -r netbsd-1-5 crypto/dist/heimdal/kadmin
                # cd libexec/kadmind
                # make cleandir dependall 
                # make install

Thanks To
=========

Love Hoernquist-Astrand for the patch and notification and Johan Danielsson
for testing.


Revision History
================

        2002-Oct-21     Initial release

More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-026.txt,v 1.9 2002/10/21 20:34:06 groo Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPbRlij5Ru2/4N2IFAQGcgwQAn2bBxCdA6L0KhD5Pq0DzylaH8V5wHsq+
iguSkTTaj8cfIR/7Nz8LHUx16Sn9BzYM/YbGkHhp0NjasjIXxlL1ulriTly6Ynf1
SOLNqfHP4IlOITGvIYbFBV0EsIgQiRA4uW5jaQT15YJ/gWi8874wioHNWNRCuTm+
rmkN3qBFP04=
=2on8
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • NetBSD Security Advisory 2002-026: Buffer overflow in kadmind daemon NetBSD Security Officer (Oct 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault