Vulnerabilities > CVE-2004-1189 - Out-Of-Bounds Write vulnerability in MIT Kerberos 5
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-629.NASL description A buffer overflow has been discovered in the MIT Kerberos 5 administration library (libkadm5srv) that could lead to the execution of arbitrary code upon exploitation by an authenticated user, not necessarily one with administrative privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 16112 published 2005-01-07 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16112 title Debian DSA-629-1 : krb5 - buffer overflow NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2005-007.NASL description The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied. This security update contains fixes for the following products : - Apache 2 - AppKit - Bluetooth - CoreFoundation - CUPS - Directory Services - HItoolbox - Kerberos - loginwindow - Mail - MySQL - OpenSSL - QuartzComposerScreenSaver - ping - Safari - SecurityInterface - servermgrd - servermgr_ipfilter - SquirelMail - traceroute - WebKit - WebLog Server - X11 - zlib last seen 2020-06-01 modified 2020-06-02 plugin id 19463 published 2005-08-18 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19463 title Mac OS X Multiple Vulnerabilities (Security Update 2005-007) NASL family Fedora Local Security Checks NASL id FEDORA_2004-563.NASL description A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This overflow in the password history handling code could allow an authenticated remote attacker to execute commands on a realm last seen 2020-06-01 modified 2020-06-02 plugin id 16028 published 2004-12-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16028 title Fedora Core 2 : krb5-1.3.6-1 (2004-563) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_0BB7677D52F311D9A9E70001020EED82.NASL description A MIT krb5 Security Advisory reports : The MIT Kerberos 5 administration library (libkadm5srv) contains a heap buffer overflow in password history handling code which could be exploited to execute arbitrary code on a Key Distribution Center (KDC) host. The overflow occurs during a password change of a principal with a certain password history state. An administrator must have performed a certain password policy change in order to create the vulnerable state. An authenticated user, not necessarily one with administrative privileges, could execute arbitrary code on the KDC host, compromising an entire Kerberos realm. last seen 2020-06-01 modified 2020-06-02 plugin id 18834 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18834 title FreeBSD : krb5 -- heap buffer overflow vulnerability in libkadm5srv (0bb7677d-52f3-11d9-a9e7-0001020eed82) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-156.NASL description Michael Tautschnig discovered a heap buffer overflow in the history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server. The updated packages have been patched to prevent this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 16037 published 2004-12-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16037 title Mandrake Linux Security Advisory : krb5 (MDKSA-2004:156) NASL family Fedora Local Security Checks NASL id FEDORA_2004-564.NASL description A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This overflow in the password history handling code could allow an authenticated remote attacker to execute commands on a realm last seen 2020-06-01 modified 2020-06-02 plugin id 16029 published 2004-12-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16029 title Fedora Core 3 : krb5-1.3.6-2 (2004-564) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-045.NASL description Updated Kerberos (krb5) packages that correct a buffer overflow bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm last seen 2020-06-01 modified 2020-06-02 plugin id 17173 published 2005-02-22 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17173 title RHEL 4 : krb5 (RHSA-2005:045) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-012.NASL description Updated Kerberos (krb5) packages that correct buffer overflow and temporary file bugs are now available for Red Hat Enterprise Linux. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm last seen 2020-06-01 modified 2020-06-02 plugin id 16221 published 2005-01-19 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16221 title RHEL 2.1 / 3 : krb5 (RHSA-2005:012) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-58-1.NASL description Michael Tautschnig discovered a possible buffer overflow in the add_to_history() function in the MIT Kerberos 5 implementation. Performing a password change did not properly track the password policy last seen 2020-06-01 modified 2020-06-02 plugin id 20676 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20676 title Ubuntu 4.10 : krb5 vulnerability (USN-58-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200501-05.NASL description The remote host is affected by the vulnerability described in GLSA-200501-05 (mit-krb5: Heap overflow in libkadm5srv) The MIT Kerberos 5 administration library libkadm5srv contains a heap overflow in the code handling password changing. Impact : Under specific circumstances an attacker could execute arbitary code with the permissions of the user running mit-krb5, which could be the root user. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 16396 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16396 title GLSA-200501-05 : mit-krb5: Heap overflow in libkadm5srv
Oval
| accepted | 2013-04-29T04:16:03.095-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:11911 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000917
- http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
- http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
- http://marc.info/?l=bugtraq&m=110358420909358&w=2
- http://marc.info/?l=bugtraq&m=110548298407590&w=2
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:156
- http://www.redhat.com/support/errata/RHSA-2005-012.html
- http://www.redhat.com/support/errata/RHSA-2005-045.html
- http://www.trustix.org/errata/2004/0069
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18621
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11911