Vulnerabilities > CVE-2002-1235 - Remote Buffer Overflow vulnerability in Multiple Vendor kadmind

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
kth
mit
debian
critical
nessus

Summary

The kadm_ser_in function in (1) the Kerberos v4compatibility administration daemon (kadmind4) in the MIT Kerberos 5 (krb5) krb5-1.2.6 and earlier, (2) kadmind in KTH Kerberos 4 (eBones) before 1.2.1, and (3) kadmind in KTH Kerberos 5 (Heimdal) before 0.5.1 when compiled with Kerberos 4 support, does not properly verify the length field of a request, which allows remote attackers to execute arbitrary code via a buffer overflow attack.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-185.NASL
    descriptionA stack-based buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server was discovered, which is provided by Heimdal as well. A working exploit for this kadmind bug is already circulating, hence it is considered serious. The broken library also contains a vulnerability which could lead to another root exploit. These problems have been fixed in version 0.4e-7.woody.5 for the current stable distribution (woody), in version 0.2l-7.6 for the old stable distribution (potato) and in version 0.4e-22 for the unstable distribution (sid).
    last seen2020-06-01
    modified2020-06-02
    plugin id15022
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15022
    titleDebian DSA-185-1 : heimdal - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-185. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15022);
      script_version("1.23");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2002-1235");
      script_xref(name:"CERT", value:"875073");
      script_xref(name:"DSA", value:"185");
    
      script_name(english:"Debian DSA-185-1 : heimdal - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A stack-based buffer overflow in the kadm_ser_wrap_in function in the
    Kerberos v4 administration server was discovered, which is provided by
    Heimdal as well. A working exploit for this kadmind bug is already
    circulating, hence it is considered serious. The broken library also
    contains a vulnerability which could lead to another root exploit.
    
    These problems have been fixed in version 0.4e-7.woody.5 for the
    current stable distribution (woody), in version 0.2l-7.6 for the old
    stable distribution (potato) and in version 0.4e-22 for the unstable
    distribution (sid)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-185"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the heimdal packages immediately."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:heimdal");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/10/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"heimdal-clients", reference:"0.2l-7.6")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-clients-x", reference:"0.2l-7.6")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-dev", reference:"0.2l-7.6")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-docs", reference:"0.2l-7.6")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-kdc", reference:"0.2l-7.6")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-lib", reference:"0.2l-7.6")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-servers", reference:"0.2l-7.6")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-servers-x", reference:"0.2l-7.6")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-clients", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-clients-x", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-dev", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-docs", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-kdc", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-lib", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-servers", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-servers-x", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libasn1-5-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libcomerr1-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libgssapi1-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libhdb7-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libkadm5clnt4-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libkadm5srv7-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libkafs0-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libkrb5-17-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libotp0-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libroken9-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libsl0-heimdal", reference:"0.4e-7.woody.5")) flag++;
    if (deb_check(release:"3.0", prefix:"libss0-heimdal", reference:"0.4e-7.woody.5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-178.NASL
    descriptionThe SuSE Security Team has reviewed critical parts of the Heimdal package such as the kadmind and kdc server. While doing so several potential buffer overflows and other bugs have been uncovered and fixed. Remote attackers can probably gain remote root access on systems without fixes. Since these services usually run on authentication servers these bugs are considered very serious. These problems have been fixed in version 0.4e-7.woody.4 for the current stable distribution (woody), in version 0.2l-7.4 for the old stable distribution (potato) and version 0.4e-21 for the unstable distribution (sid).
    last seen2020-06-01
    modified2020-06-02
    plugin id15015
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15015
    titleDebian DSA-178-1 : heimdal - remote command execution
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-178. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15015);
      script_version("1.21");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2002-1225", "CVE-2002-1226", "CVE-2002-1235");
      script_xref(name:"CERT", value:"875073");
      script_xref(name:"DSA", value:"178");
    
      script_name(english:"Debian DSA-178-1 : heimdal - remote command execution");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SuSE Security Team has reviewed critical parts of the Heimdal
    package such as the kadmind and kdc server. While doing so several
    potential buffer overflows and other bugs have been uncovered and
    fixed. Remote attackers can probably gain remote root access on
    systems without fixes. Since these services usually run on
    authentication servers these bugs are considered very serious.
    
    These problems have been fixed in version 0.4e-7.woody.4 for the
    current stable distribution (woody), in version 0.2l-7.4 for the old
    stable distribution (potato) and version 0.4e-21 for the unstable
    distribution (sid)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-178"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the Heimdal packages immediately."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:heimdal");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/10/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/11");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"heimdal-clients", reference:"0.2l-7.4")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-clients-x", reference:"0.2l-7.4")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-dev", reference:"0.2l-7.4")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-docs", reference:"0.2l-7.4")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-kdc", reference:"0.2l-7.4")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-lib", reference:"0.2l-7.4")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-servers", reference:"0.2l-7.4")) flag++;
    if (deb_check(release:"2.2", prefix:"heimdal-servers-x", reference:"0.2l-7.4")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-clients", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-clients-x", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-dev", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-docs", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-kdc", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-lib", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-servers", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"heimdal-servers-x", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libasn1-5-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libcomerr1-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libgssapi1-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libhdb7-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libkadm5clnt4-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libkadm5srv7-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libkafs0-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libkrb5-17-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libotp0-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libroken9-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libsl0-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libss0-heimdal", reference:"0.4e-7.woody.4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-183.NASL
    descriptionTom Yu and Sam Hartman of MIT discovered another stack-based buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. This kadmind bug has a working exploit code circulating, hence it is considered serious. The MIT krb5 implementation includes support for version 4, including a complete v4 library, server side support for krb4, and limited client support for v4.
    last seen2020-06-01
    modified2020-06-02
    plugin id15020
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15020
    titleDebian DSA-183-1 : krb5 - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-183. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15020);
      script_version("1.23");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2002-1235");
      script_xref(name:"CERT", value:"875073");
      script_xref(name:"DSA", value:"183");
    
      script_name(english:"Debian DSA-183-1 : krb5 - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Tom Yu and Sam Hartman of MIT discovered another stack-based buffer
    overflow in the kadm_ser_wrap_in function in the Kerberos v4
    administration server. This kadmind bug has a working exploit code
    circulating, hence it is considered serious. The MIT krb5
    implementation includes support for version 4, including a complete v4
    library, server side support for krb4, and limited client support for
    v4."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-183"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the krb5 packages immediately.
    
    This problem has been fixed in version 1.2.4-5woody3 for the current
    stable distribution (woody) and in version 1.2.6-2 for the unstable
    distribution (sid). The old stable distribution (potato) is not
    affected since no krb5 packages are included."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/10/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"krb5-admin-server", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-clients", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-doc", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-ftpd", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-kdc", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-rsh-server", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-telnetd", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"krb5-user", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"libkadm55", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"libkrb5-17-heimdal", reference:"0.4e-7.woody.4")) flag++;
    if (deb_check(release:"3.0", prefix:"libkrb5-dev", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"libkrb53", reference:"1.2.4-5woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"ssh-krb5", reference:"3.4p1-0woody1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-073.NASL
    descriptionA stack-based buffer overflow in the implementation of the Kerberos v4 compatibility administration daemon (kadmind4) in the krb5 package can be exploited to gain unauthorized root access to a KDC host. Authentication to the daemon is not required to successfully perform the attack and according to MIT at least one exploit is known to exist. kadmind4 is used only by sites that require compatibility with legacy administrative clients, and sites that do not have these needs are likely not using kadmind4 and are not affected. MandrakeSoft encourages all users who use Kerberos to upgrade to these packages immediately. Update : The /etc/rc.d/init.d/kadmin initscript improperly pointed to a non-existent location for the kadmind binary. This update corrects the problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id13973
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13973
    titleMandrake Linux Security Advisory : krb5 (MDKSA-2002:073-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:073. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13973);
      script_version ("1.23");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-1235");
      script_xref(name:"CERT", value:"875073");
      script_xref(name:"MDKSA", value:"2002:073-1");
    
      script_name(english:"Mandrake Linux Security Advisory : krb5 (MDKSA-2002:073-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A stack-based buffer overflow in the implementation of the Kerberos v4
    compatibility administration daemon (kadmind4) in the krb5 package can
    be exploited to gain unauthorized root access to a KDC host.
    Authentication to the daemon is not required to successfully perform
    the attack and according to MIT at least one exploit is known to
    exist. kadmind4 is used only by sites that require compatibility with
    legacy administrative clients, and sites that do not have these needs
    are likely not using kadmind4 and are not affected.
    
    MandrakeSoft encourages all users who use Kerberos to upgrade to these
    packages immediately.
    
    Update :
    
    The /etc/rc.d/init.d/kadmin initscript improperly pointed to a
    non-existent location for the kadmind binary. This update corrects the
    problem."
      );
      # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?282e0fc0"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ftp-client-krb5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ftp-server-krb5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-workstation");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:telnet-client-krb5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:telnet-server-krb5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/01/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"ftp-client-krb5-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"ftp-server-krb5-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"krb5-devel-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"krb5-libs-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"krb5-server-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"krb5-workstation-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"telnet-client-krb5-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"telnet-server-krb5-1.2.2-17.3mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"ftp-client-krb5-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"ftp-server-krb5-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"krb5-devel-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"krb5-libs-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"krb5-server-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"krb5-workstation-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"telnet-client-krb5-1.2.2-17.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"telnet-server-krb5-1.2.2-17.3mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"ftp-client-krb5-1.2.5-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"ftp-server-krb5-1.2.5-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"krb5-devel-1.2.5-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"krb5-libs-1.2.5-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"krb5-server-1.2.5-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"krb5-workstation-1.2.5-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"telnet-client-krb5-1.2.5-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"telnet-server-krb5-1.2.5-1.2mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-184.NASL
    descriptionTom Yu and Sam Hartman of MIT discovered another stack-based buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. This kadmind bug has a working exploit code circulating, hence it is considered serious.
    last seen2020-06-01
    modified2020-06-02
    plugin id15021
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15021
    titleDebian DSA-184-1 : krb4 - buffer overflow
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-021.NASL
    descriptionUpdated packages fix a vulnerability found in the Kerberos FTP client distributed with the Red Hat Linux Advanced Server krb5 packages. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1. For Advanced Workstation 2.1 these packages also fix CVE-2002-1235 as described in RHSA-2002:250 Kerberos is a network authentication system. A problem has been found in the Kerberos FTP client. When retrieving a file with a name beginning with a pipe character, the FTP client will pass the file name to the command shell in a system() call. This could allow a malicious FTP server to write to files outside of the current directory or execute commands as the user running the FTP client. The Kerberos FTP client runs as the default FTP client when the Kerberos package krb5-workstation is installed on a Red Hat Linux Advanced Server distribution. All users of Kerberos are advised to upgrade to these errata packages which contain a backported patch and are not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id12353
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12353
    titleRHEL 2.1 : krb5 (RHSA-2003:021)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-250.NASL
    descriptionA remotely exploitable stack-based buffer overflow has been found in the Kerberos v4 compatibility administration daemon distributed with the Red Hat Linux krb5 packages. [Updated 09 Jan 2003] Added fixed packages for the Itanium (IA64) architecture. Kerberos is a network authentication system. A stack-based buffer overflow has been found in the implementation of the Kerberos v4 compatibility administration daemon (kadmind4), which is part of the MIT krb5 distribution. This vulnerability is present in version 1.2.6 and earlier of the MIT krb5 distribution and can be exploited to gain unauthorized root access to a KDC host. The attacker does not need to authenticate to the daemon to successfully perform this attack. kadmind4 is included in the Kerberos packages in Red Hat Linux Advanced Server but is not enabled or used by default. All users of Kerberos are advised to upgrade to these errata packages which contain a backported patch and are not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id12331
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12331
    titleRHEL 2.1 : krb5 (RHSA-2002:250)

Redhat

advisories
rhsa
idRHSA-2002:242