Vulnerabilities > CVE-2003-0060 - Unspecified vulnerability in MIT Kerberos 5

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
mit
nessus

Summary

Format string vulnerabilities in the logging routines for MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in Kerberos principal names.

Vulnerable Configurations

Part Description Count
Application
Mit
4

Nessus

  • NASL familyMisc.
    NASL idKERBEROS5_ISSUES.NASL
    descriptionThe remote host is running Kerberos 5. There are multiple flaws that affect this product. Make sure you are running the latest version with the latest patches. Note that Nessus could not check for any of the flaws and solely relied on the presence of the service to issue an alert, so this might be a false positive.
    last seen2020-06-01
    modified2020-06-02
    plugin id11512
    published2003-04-03
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11512
    titleKerberos 5 < 1.3.5 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # This script simply attempts to log into the realm FR.NESSUS.ORG
    # with a username of "whatever". It does not check for any flaw (which
    # is bad), but that may change in the future.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(11512);
     script_version("1.26");
     script_cvs_date("Date: 2018/07/12 19:01:16");
    
     script_cve_id(
       "CVE-2002-0036",
       "CVE-2003-0059",
       "CVE-2003-0060",
       "CVE-2003-0072",
       "CVE-2003-0082",
       "CVE-2003-0138",
       "CVE-2003-0139",
       "CVE-2004-0642",
       "CVE-2004-0643",
       "CVE-2004-0644",
       "CVE-2004-0772"
    );
     script_bugtraq_id(
       6712,
       6713,
       6714,
       7184,
       7185,
       11078,
       11079
    );
     script_xref(name:"RHSA", value:"2003:091-01");
    
     script_name(english:"Kerberos 5 < 1.3.5 Multiple Vulnerabilities");
     script_summary(english:"Check for kerberos");
    
     script_set_attribute(attribute:"synopsis", value:
    "It may be possible to execute arbitrary code on the remote Kerberos
    server.");
     script_set_attribute(attribute:"description", value:
    "The remote host is running Kerberos 5.
    
    There are multiple flaws that affect this product. Make sure you are
    running the latest version with the latest patches.
    
    Note that Nessus could not check for any of the flaws and solely
    relied on the presence of the service to issue an alert, so this might
    be a false positive.");
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?34bb0fc8");
     script_set_attribute(attribute:"solution", value:"Upgrade to Kerberos 5 (krb5) 1.3.5 or later.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(119);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/31");
     script_set_attribute(attribute:"patch_publication_date", value:"2004/08/31");
     script_set_attribute(attribute:"plugin_publication_date", value:"2003/04/03");
    
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
     script_family(english:"Misc.");
    
     script_require_keys("Settings/ParanoidReport");
    
     exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    
    name = "whatever";
    
    len = strlen(name);
    #len = 1024;
    if(len > 256)
    {
     len = raw_string(0x82, len / 256, len % 256);
    #len = raw_string(0x84, 0x7F, 0xFF, 0xFF, 0xFF);
    }
    else len = raw_string(len % 256);
    
    pk_lenE = 12 + strlen(name);
    if(strlen(name) > 256)
     pk_lenE = raw_string(0x82, pk_lenE / 256, pk_lenE % 256);
    else
     pk_lenE = raw_string( pk_lenE % 256);
    
    
    pk_lenD = 186 + strlen(name);
    if(strlen(name) > 256)pk_lenD += 14;
    if(pk_lenD > 256)
     pk_lenD = raw_string(0x82, pk_lenD / 256, pk_lenD % 256);
    else
     pk_lenD = raw_string(0x81, pk_lenD % 256);
    
    
    
    pk_lenC = 183 + strlen(name);
    if(strlen(name) > 256)pk_lenC += 12;
    if(pk_lenC > 256)
     pk_lenC = raw_string(0x82, pk_lenC / 256, pk_lenC % 256);
    else
     pk_lenC = raw_string(0x81, pk_lenC % 256);
    
    
    pk_lenB = 170 + strlen(name);
    if(strlen(name) > 256)pk_lenB += 10;
    if(pk_lenB > 256)
     pk_lenB = raw_string(0x82, pk_lenB / 256, pk_lenB % 256);
    else
     pk_lenB = raw_string(0x81, pk_lenB % 256);
    
    
    pk_lenA = 167 + strlen(name);
    if(strlen(name) > 256)pk_lenA += 8;
    if(pk_lenA > 256)
     pk_lenA = raw_string(0x82, pk_lenA / 256, pk_lenA % 256);
    else
     pk_lenA = raw_string(0x81, pk_lenA % 256);
    
    
    pk_len0 = 11 + strlen(name);
    if(strlen(name) > 256) pk_len0 += 6;
    if(pk_len0 > 256)
    {
     pk_len0 = raw_string(0x82, pk_len0 / 256, pk_len0 % 256);
    }
    else pk_len0 = raw_string(pk_len0 % 256);
    
    pk_len1 = 4 + strlen(name);
    if(strlen(name) > 256) pk_len1 += 4;
    if(pk_len1 > 256)
    {
     pk_len1 = raw_string(0x82, pk_len1 / 256, pk_len1 % 256);
    }
    else pk_len1 = raw_string(pk_len1 % 256);
    
    pk_len2 = 2 + strlen(name);
    if(strlen(name) > 256) pk_len2 += 2;
    
    if(pk_len2 > 256)
    {
     pk_len2 = raw_string(0x82, pk_len2 / 256, pk_len2 % 256);
    }
    else pk_len2 = raw_string(pk_len2 % 256);
    
    
    
    req = raw_string(
    		 0x6A) + pk_lenD + raw_string(0x30)+ pk_lenC + raw_string(0xA1, 0x03,
    		 0x02, 0x01, 0x05, 0xA2, 0x03,
    		 0x02, 0x01, 0x0A, 0xA4) + pk_lenB + raw_string(0x30) + pk_lenA +
    		 raw_string(
    		 0xA0, 0x07, 0x03, 0x05, # ??
    		 0x00, 0x00, 0x00, 0x00, 0x00, 0xA1)+ pk_lenE + raw_string(
    		 0x30) + pk_len0 + raw_string(0xA0, 0x03,
    		 0x02, 0x01, 0x01,
    		 0xA1) + pk_len1 + raw_string( 0x30) + pk_len2 +
    		 raw_string(0x1B) + len + name + raw_string(
    		 0xA2, 0x0F, 0x1B, 0x0D,
    		 0x46, 0x52, 0x2E, 0x4E, 0x45, 0x53, 0x53, 0x55,
    		 0x53, 0x2E, 0x4F, 0x52, 0x47, 0xA3, 0x22, 0x30,
    		 0x20, 0xA0, 0x03, 0x02, 0x01, 0x00, 0xA1, 0x19,
    		 0x30, 0x17, 0x1B, 0x06, 0x6B, 0x72, 0x62, 0x74,
    		 0x67, 0x74, 0x1B, 0x0D, 0x46, 0x52, 0x2E, 0x4E,
    		 0x45, 0x53, 0x53, 0x55, 0x53, 0x2E, 0x4F, 0x52,
    		 0x47, 0xA4, 0x11, 0x18, 0x0F, 0x32, 0x30, 0x30,
    		 0x33, 0x30, 0x34, 0x30, 0x33, 0x31, 0x32, 0x35,
    		 0x37, 0x33, 0x38, 0x5A, 0xA5, 0x11, 0x18, 0x0F,
    		 0x32, 0x30, 0x30, 0x33, 0x30, 0x34, 0x30, 0x33,
    		 0x32, 0x32, 0x35, 0x37, 0x33, 0x38, 0x5A, 0xA7,
    		 0x06, 0x02, 0x04, 0x3E, 0x8c, 0x2f, 0xC2, 0xA8,
    		 0x08, 0x30, 0x06, 0x02, 0x01, 0x10, 0x02, 0x01,
    		 0x01, 0xA9, 0x20, 0x30, 0x1E, 0x30, 0x0D, 0xA0,
    		 0x03, 0x02, 0x01, 0x02, 0xA1, 0x06, 0x04, 0x04,
    		 0x0A, 0xA3, 0x9c, 0x12, 0x30, 0x0D, 0xA0, 0x03,
    		 0x02, 0x01, 0x02, 0xA1, 0x06, 0x04, 0x04, 0x0A,
    		 0xA3, 0x9F, 0x01);
    
    
    foreach port (make_list(88, 750))
    if (get_udp_port_state(port))
    {
     soc = open_sock_udp(port);
     send(socket:soc, data:req);
     r = recv(socket:soc, length:4096);
     close(soc);
    
     if(strlen(r) > 10 && ord(r[10]) == 5)
     {
     security_hole(port:port, proto:"udp");
     }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-052.NASL
    descriptionUpdated kerberos packages fix a number of vulnerabilities found in MIT Kerberos. Kerberos is a network authentication system. The MIT Kerberos team released an advisory describing a number of vulnerabilities that affect the kerberos packages shipped by Red Hat. An integer signedness error in the ASN.1 decoder before version 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value. The Common Vulnerabilities and Exposures project has assigned the name CVE-2002-0036 to this issue. The Key Distribution Center (KDC) before version 1.2.5 allows remote, authenticated, attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that : - causes a NULL pointer dereference (CVE-2003-0058). - causes the KDC to corrupt its heap (CVE-2003-0082). A vulnerability in Kerberos before version 1.2.3 allows users from one realm to impersonate users in other realms that have the same inter-realm keys (CVE-2003-0059). The MIT advisory for these issues also mentions format string vulnerabilities in the logging routines (CVE-2003-0060). Previous versions of the kerberos packages from Red Hat already contain fixes for this issue. Vulnerabilities have been found in the implementation of support for triple-DES keys in the implementation of the Kerberos IV authentication protocol included in MIT Kerberos (CVE-2003-0139). Vulnerabilities have been found in the Kerberos IV authentication protocol which allow an attacker with knowledge of a cross-realm key that is shared with another realm to impersonate any principal in that realm to any service in that realm. This vulnerability can only be closed by disabling cross-realm authentication in Kerberos IV (CVE-2003-0138). Vulnerabilities have been found in the RPC library used by the kadmin service in Kerberos 5. A faulty length check in the RPC library exposes kadmind to an integer overflow which can be used to crash kadmind (CVE-2003-0028). All users of Kerberos are advised to upgrade to these errata packages, which disable cross-realm authentication by default for Kerberos IV and which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id12364
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12364
    titleRHEL 2.1 : krb5 (RHSA-2003:052)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2003:052. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12364);
      script_version ("1.32");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2002-0036", "CVE-2003-0028", "CVE-2003-0058", "CVE-2003-0059", "CVE-2003-0072", "CVE-2003-0082", "CVE-2003-0138", "CVE-2003-0139", "CVE-2004-0772");
      script_xref(name:"RHSA", value:"2003:052");
    
      script_name(english:"RHEL 2.1 : krb5 (RHSA-2003:052)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kerberos packages fix a number of vulnerabilities found in MIT
    Kerberos.
    
    Kerberos is a network authentication system. The MIT Kerberos team
    released an advisory describing a number of vulnerabilities that
    affect the kerberos packages shipped by Red Hat.
    
    An integer signedness error in the ASN.1 decoder before version 1.2.5
    allows remote attackers to cause a denial of service via a large
    unsigned data element length, which is later used as a negative value.
    The Common Vulnerabilities and Exposures project has assigned the name
    CVE-2002-0036 to this issue.
    
    The Key Distribution Center (KDC) before version 1.2.5 allows remote,
    authenticated, attackers to cause a denial of service (crash) on KDCs
    within the same realm via a certain protocol request that :
    
      - causes a NULL pointer dereference (CVE-2003-0058).
    
      - causes the KDC to corrupt its heap (CVE-2003-0082).
    
    A vulnerability in Kerberos before version 1.2.3 allows users from one
    realm to impersonate users in other realms that have the same
    inter-realm keys (CVE-2003-0059).
    
    The MIT advisory for these issues also mentions format string
    vulnerabilities in the logging routines (CVE-2003-0060). Previous
    versions of the kerberos packages from Red Hat already contain fixes
    for this issue.
    
    Vulnerabilities have been found in the implementation of support for
    triple-DES keys in the implementation of the Kerberos IV
    authentication protocol included in MIT Kerberos (CVE-2003-0139).
    
    Vulnerabilities have been found in the Kerberos IV authentication
    protocol which allow an attacker with knowledge of a cross-realm key
    that is shared with another realm to impersonate any principal in that
    realm to any service in that realm. This vulnerability can only be
    closed by disabling cross-realm authentication in Kerberos IV
    (CVE-2003-0138).
    
    Vulnerabilities have been found in the RPC library used by the kadmin
    service in Kerberos 5. A faulty length check in the RPC library
    exposes kadmind to an integer overflow which can be used to crash
    kadmind (CVE-2003-0028).
    
    All users of Kerberos are advised to upgrade to these errata packages,
    which disable cross-realm authentication by default for Kerberos IV
    and which contain backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-0036"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0028"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0058"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0059"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0082"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0138"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0139"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0772"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt"
      );
      # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?49b852e4"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt"
      );
      # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d4ced782"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2003:052"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-workstation");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/02/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/03/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2003:052";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-devel-1.2.2-24")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-libs-1.2.2-24")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-server-1.2.2-24")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-workstation-1.2.2-24")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-server / krb5-workstation");
      }
    }