Mariusz Woloszyn wrote:
>
> I was trying to play with kerberos bugs, but the binary I downloaded from
> redhat.com does not want to segfault. The BT posts were saying that
> default RH 6.2 without kerberos stuff contains v4rcp that is suid root and
> segfaults when tested by sample exploit.
> Does anyone have vulnerable sources and/or binaries?
>
> --
> Mariusz Wołoszyn
> Internet Security Specialist, Internet Partners, GTS Poland
Are you interested in the following quirks ?
=1=alien:/opt0/horio/HOT> uname -a
OpenBSD alien 2.6 GENERIC#696 i386
=2=alien:/opt0/horio/HOT> rlogin -x alien
krcmd_mutual: Time is out of bounds (krb_rd_req)
rlogin: warning, using standard rlogin: can't provide Kerberos auth
data.
rlogin: the -x flag requires Kerberos authentication.
=3=alien:/opt0/horio/HOT> rlogin alien
=1=alien:/opt0/horio/HOT> exitrlogin: connection closed.
=4=alien:/opt0/horio/HOT> klist
Ticket file: /tmp/tkt.horio
Principal: horio_at_NEAR.THIS
Issued Expires Principal
Jun 2 00:48:53 Jan 19 12:14:07 krbtgt.NEAR.THIS_at_NEAR.THIS
Jun 2 00:58:53 Jan 19 12:14:07 rcmd.byte_at_NEAR.THIS
Jun 2 00:59:52 Jan 19 12:14:07 rcmd.alien_at_NEAR.THIS
Jun 2 01:11:54 Jan 19 12:14:07 rcmd.type_at_NEAR.THIS
Jun 2 02:07:08 Jan 19 12:14:07 krbtgt.POINTER-SOFTWARE.COM_at_NEAR.THIS
Jun 2 02:07:08 Jan 19 12:14:07 rcmd.hakobera_at_POINTER-SOFTWARE.COM
=5=alien:/opt0/horio/HOT> telnet -x alien
Encryption is verbose
Trying 10.0.3.2...
Connected to alien.near.this.
Escape character is '^]'.
[ Trying mutual KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]
[ Output is now encrypted with type DES_CFB64 ]
[ Input is now decrypted with type DES_CFB64 ]
=1=alien:/opt0/horio/HOT>
>From above snapshot:
o clock is far away from its own clock, and
o cannot see exactly when tickets expire.
BTW, the nearest KDC is KTH-krb4-1.0.1 (genuin) on FreeBSD 3.2.
horio shoichi
Received on Jun 02 2000
Intro
