Vulnerabilities > CVE-2007-2798 - Out-of-bounds Write vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_41167.NASL description s700_800 11.23 KRB5-Client Version 1.0 Cumulative patch : Potential security vulnerabilities have been identified on HP-UX running Kerberos. These vulnerabilities could be exploited by remote unauthenticated users to create a Denial of Service (DoS) or to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 47148 published 2010-06-28 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47148 title HP-UX PHSS_41167 : HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code (HPSBUX02544 SSRT100107 rev.1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0562.NASL description Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux 4 and 5, glibc detects attempts to free invalid pointers. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25580 published 2007-06-27 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25580 title CentOS 4 / 5 : krb5 (CESA-2007:0562) NASL family Solaris Local Security Checks NASL id SOLARIS10_120473.NASL description SunOS 5.10: libc nss ldap PAM zfs patch. Date this patch was last updated by Sun : Jul/11/07 last seen 2018-09-02 modified 2018-08-13 plugin id 25069 published 2007-04-19 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=25069 title Solaris 10 (sparc) : 120473-12 NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_41166.NASL description s700_800 11.11 KRB5-Client Version 1.0 cumulative patch : Potential security vulnerabilities have been identified on HP-UX running Kerberos. These vulnerabilities could be exploited by remote unauthenticated users to create a Denial of Service (DoS) or to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 47147 published 2010-06-28 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47147 title HP-UX PHSS_41166 : HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code (HPSBUX02544 SSRT100107 rev.1) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-137.NASL description David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who could access kadmind could trigger the flaw causing kadmind to crash or possibly execute arbitrary code (CVE-2007-2442). David Coffey also discovered an overflow flaw in the same RPC library. A remote unauthenticated attacker who could access kadmind could trigger the flaw causing kadmind to crash or possibly execute arbitrary code (CVE-2007-2443). Finally, a stack-based buffer overflow vulnerability was found in kadmind that allowed an unauthenticated user able to access kadmind the ability to trigger the vulnerability and possibly execute arbitrary code (CVE-2007-2798). Updated packages have been patched to prevent this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 25603 published 2007-06-27 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25603 title Mandrake Linux Security Advisory : krb5 (MDKSA-2007:137) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1323.NASL description Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2442 Wei Wang discovered that the free of an uninitialised pointer in the Kerberos RPC library may lead to the execution of arbitrary code. - CVE-2007-2443 Wei Wang discovered that insufficient input sanitising in the Kerberos RPC library may lead to the execution of arbitrary code. - CVE-2007-2798 It was discovered that a buffer overflow in the Kerberos administration daemon may lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 25628 published 2007-07-01 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25628 title Debian DSA-1323-1 : krb5 - several vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0384.NASL description Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash or potentially execute arbitrary code as root. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) For Red Hat Enterprise Linux 2.1, several portability bugs which would lead to unexpected crashes on the ia64 platform have also been fixed. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25574 published 2007-06-27 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25574 title CentOS 3 : krb5 (CESA-2007:0384) NASL family Solaris Local Security Checks NASL id SOLARIS8_X86_110061.NASL description SEAM 1.0.1_x86: patch for Solaris 8_x86. Date this patch was last updated by Sun : Jul/27/07 last seen 2016-09-26 modified 2013-03-30 plugin id 23444 published 2006-11-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=23444 title Solaris 5.8 (x86) : 110061-22 NASL family Solaris Local Security Checks NASL id SOLARIS9_112925.NASL description SunOS 5.9: ktutil kdb5_util kadmin kadmin.local kadmind Patch. Date this patch was last updated by Sun : Nov/08/07 last seen 2020-06-01 modified 2020-06-02 plugin id 13524 published 2004-07-12 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13524 title Solaris 9 (sparc) : 112925-08 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0384.NASL description Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash or potentially execute arbitrary code as root. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) For Red Hat Enterprise Linux 2.1, several portability bugs which would lead to unexpected crashes on the ia64 platform have also been fixed. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25604 published 2007-06-27 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25604 title RHEL 2.1 / 3 : krb5 (RHSA-2007:0384) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_41168.NASL description s700_800 11.31 KRB5-Client Version 1.3.5.03 Cumulative patch : Potential security vulnerabilities have been identified on HP-UX running Kerberos. These vulnerabilities could be exploited by remote unauthenticated users to create a Denial of Service (DoS) or to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 47149 published 2010-06-28 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47149 title HP-UX PHSS_41168 : HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code (HPSBUX02544 SSRT100107 rev.1) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2007-0006.NASL description Problems addressed by these patches : I Arbitrary code execution and denial of service vulnerabilities This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. (CVE-2007-4496) This release fixes a denial of service vulnerability that could allow a guest operating system to cause a host process to become unresponsive or exit unexpectedly. (CVE-2007-4497) Thanks to Rafal Wojtczvk of McAfee for identifying and reporting these issues. II Hosted products DHCP security vulnerabilities addressed This release fixes several vulnerabilities in the DHCP server that could enable a specially crafted packets to gain system-level privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063) Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security Systems X-Force for discovering and researching these vulnerabilities. III Windows based hosted product vulnerability in IntraProcessLogging.dll and vielib.dll. This release fixes a security vulnerability that could allow a malicious remote user to exploit the library file IntraProcessLogging.dll to overwrite files in a system. (CVE-2007-4059) This release fixes a security vulnerability that could allow a malicious remote user to exploit the library file vielib.dll to overwrite files in a system. (CVE-2007-4155) Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities. IV Escalation of privileges on Windows hosted systems This release fixes a security vulnerability in which Workstation was starting registered Windows services in an insecure manner. This vulnerability could allow a malicious user to escalate user privileges. Thanks to Foundstone for discovering this vulnerability. V Potential denial of service using VMware Player This release fixes a problem that prevented VMware Player from launching. This problem was accompanied by the error message VMware Player unrecoverable error: (player) Exception 0xc0000005 (access violation) has occurred. VI ESX Service Console updates a. Service console package Samba, has been updated to address the following issues : Various bugs were found in NDR parsing, used to decode MS-RPC requests in Samba. A remote attacker could have sent carefully crafted requests causing a heap overflow, which may have led to the ability to execute arbitrary code on the server. (CVE-2007-2446) Unescaped user input parameters were being passed as arguments to /bin/sh. A remote, authenticated, user could have triggered this flaw and executed arbitrary code on the server. Additionally, this flaw could be triggered by a remote unauthenticated user if Samba was configured to use the non-default username map script option. (CVE-2007-2447) Thanks to the Samba developers, TippingPoint, and iDefense for identifying and reporting these issues. Note: These issues only affect the service console network, and are not remote vulnerabilities for ESX Server hosts that have been set up with the security best practices provided by VMware. http://www.vmware.com/resources/techresources/726 b. Updated bind package for the service console fixes a flaw with the way ISC BIND processed certain DNS query responses. ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. Under some circumstances, a malicious remote user could launch a Denial-of-Service attack on ESX Server hosts that had enabled DNSSEC validation. (CVE-2007-0494) Note: These issues only affect the service console network, and are not remote vulnerabilities for ESX Server hosts that have been set up with the security best practices provided by VMware. http://www.vmware.com/resources/techresources/726 c. This patch provides updated service console package krb5 update. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2007-2442, CVE-2007-2443, and CVE-2007-2798 to these security issues. Thanks to Wei Wang of McAfee Avert Labs discovered these vulnerabilities. Note: The VMware service console does not provide the kadmind binary, and is not affected by these issues, but a update has been provided for completeness. d. Service console update for vixie-cron This patch provides an updated service console package vixie-cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A denial of service issue was found in the way vixie-cron verified crontab file integrity. A local user with the ability to create a hardlink to /etc/crontab could potentially prevent vixie-cron from executing certain system cron jobs. (CVE-2007-1856) Thanks to Raphael Marichez for identifying this issue. e. Service console update for shadow-utils This patch provides an updated shadow-utils package. A new user last seen 2020-06-01 modified 2020-06-02 plugin id 40370 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40370 title VMSA-2007-0006 : Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0562.NASL description From Red Hat Security Advisory 2007:0562 : Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux 4 and 5, glibc detects attempts to free invalid pointers. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67535 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67535 title Oracle Linux 4 / 5 : krb5 (ELSA-2007-0562) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200707-11.NASL description The remote host is affected by the vulnerability described in GLSA-200707-11 (MIT Kerberos 5: Arbitrary remote code execution) kadmind is affected by multiple vulnerabilities in the RPC library shipped with MIT Kerberos 5. It fails to properly handle zero-length RPC credentials (CVE-2007-2442) and the RPC library can write past the end of the stack buffer (CVE-2007-2443). Furthermore kadmind fails to do proper bounds checking (CVE-2007-2798). Impact : A remote unauthenticated attacker could exploit these vulnerabilities to execute arbitrary code with root privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 25793 published 2007-07-27 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25793 title GLSA-200707-11 : MIT Kerberos 5: Arbitrary remote code execution NASL family Fedora Local Security Checks NASL id FEDORA_2007-0740.NASL description This update incorporates fixes for a stack-based buffer overflow and heap corruption in the RPC library, and a fix for a potential stack-based buffer overflow in kadmind. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27678 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27678 title Fedora 7 : krb5-1.6.1-2.1.fc7 (2007-0740) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0384.NASL description From Red Hat Security Advisory 2007:0384 : Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash or potentially execute arbitrary code as root. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) For Red Hat Enterprise Linux 2.1, several portability bugs which would lead to unexpected crashes on the ia64 platform have also been fixed. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67503 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67503 title Oracle Linux 3 : krb5 (ELSA-2007-0384) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2007-007.NASL description The remote host is running a version of Mac OS X 10.4 or 10.3 which does not have the security update 2007-007 applied. This update contains several security fixes for the following programs : - bzip2 - CFNetwork - CoreAudio - cscope - gnuzip - iChat - Kerberos - mDNSResponder - PDFKit - PHP - Quartz Composer - Samba - SquirrelMail - Tomcat - WebCore - WebKit last seen 2020-06-01 modified 2020-06-02 plugin id 25830 published 2007-08-02 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25830 title Mac OS X Multiple Vulnerabilities (Security Update 2007-007) NASL family Scientific Linux Local Security Checks NASL id SL_20070626_KRB5_ON_SL5_X.NASL description David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. On Scientific Linux 4 and 5, glibc detects attempts to free invalid pointers. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Scientific Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) last seen 2020-06-01 modified 2020-06-02 plugin id 60219 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60219 title Scientific Linux Security Update : krb5 on SL5.x, SL4.x, SL3.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_KRB5-3820.NASL description This update fixes a stack-based buffer overflow in kadmind which can be exploited by authenticated remote users to gain root. (CVE-2007-2798) Additionally two bugs in the RPC library of kadmind were fixed that can lead to remote system compromise. (CVE-2007-2442, CVE-2007-2443) Note that third-party applications using the RPC library are vulnerable, too. last seen 2020-06-01 modified 2020-06-02 plugin id 27309 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27309 title openSUSE 10 Security Update : krb5 (krb5-3820) NASL family Scientific Linux Local Security Checks NASL id SL_20070626_KRB5_ON_SL3.NASL description David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash or potentially execute arbitrary code as root. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Scientific Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) last seen 2020-06-01 modified 2020-06-02 plugin id 60218 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60218 title Scientific Linux Security Update : krb5 on SL3.x i386/x86_64 NASL family Solaris Local Security Checks NASL id SOLARIS8_110060.NASL description SEAM 1.0.1: patch for Solaris 8. Date this patch was last updated by Sun : Jul/24/07 last seen 2017-10-29 modified 2013-03-30 plugin id 23323 published 2006-11-06 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=23323 title Solaris 5.8 (sparc) : 110060-22 NASL family SuSE Local Security Checks NASL id SUSE_KRB5-3821.NASL description This update fixes a stack-based buffer overflow in kadmind which can be exploited by authenticated remote users to gain root. (CVE-2007-2798) Additionally two bugs in the RPC library of kadmind were fixed that can lead to remote system compromise. (CVE-2007-2442 / CVE-2007-2443) Note that third-party applications using the RPC library are vulnerable, too. last seen 2020-06-01 modified 2020-06-02 plugin id 29493 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29493 title SuSE 10 Security Update : krb5 (ZYPP Patch Number 3821) NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_116044.NASL description SunOS 5.9_x86: kadmind & kdb5_util patch. Date this patch was last updated by Sun : Aug/10/07 last seen 2020-06-01 modified 2020-06-02 plugin id 13624 published 2004-07-12 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13624 title Solaris 9 (x86) : 116044-04 NASL family Solaris Local Security Checks NASL id SOLARIS8_110061.NASL description SEAM 1.0.1_x86: patch for Solaris 8_x86. Date this patch was last updated by Sun : Jul/27/07 last seen 2016-09-26 modified 2013-03-30 plugin id 36315 published 2009-04-23 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=36315 title Solaris 5.8 (sparc) : 110061-22 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-477-1.NASL description Wei Wang discovered that the krb5 RPC library did not correctly handle certain error conditions. A remote attacker could cause kadmind to free an uninitialized pointer, leading to a denial of service or possibly execution of arbitrary code with root privileges. (CVE-2007-2442) Wei Wang discovered that the krb5 RPC library did not correctly check the size of certain communications. A remote attacker could send a specially crafted request to kadmind and execute arbitrary code with root privileges. (CVE-2007-2443) It was discovered that the kadmind service could be made to overflow its stack. A remote attacker could send a specially crafted request and execute arbitrary code with root privileges. (CVE-2007-2798). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28078 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28078 title Ubuntu 6.06 LTS / 6.10 / 7.04 : krb5 vulnerabilities (USN-477-1) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_120037.NASL description SunOS 5.10_x86: libc nss ldap PAM zfs patc. Date this patch was last updated by Sun : Jul/17/07 last seen 2018-09-01 modified 2018-08-13 plugin id 24384 published 2007-02-18 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=24384 title Solaris 10 (x86) : 120037-22 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0562.NASL description Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux 4 and 5, glibc detects attempts to free invalid pointers. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25611 published 2007-06-27 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25611 title RHEL 4 / 5 : krb5 (RHSA-2007:0562)
Oval
accepted 2007-11-16T08:14:19.297-05:00 class vulnerability contributors name Nicholas Hansen organization Opsware, Inc. name Nicholas Hansen organization Opsware, Inc.
definition_extensions comment Solaris 8 (SPARC) is installed oval oval:org.mitre.oval:def:1539 comment Solaris 8 (x86) is installed oval oval:org.mitre.oval:def:2059 comment Solaris 9 (SPARC) is installed oval oval:org.mitre.oval:def:1457 comment Solaris 9 (x86) is installed oval oval:org.mitre.oval:def:1683 comment Solaris 10 (SPARC) is installed oval oval:org.mitre.oval:def:1440 comment Solaris 10 (x86) is installed oval oval:org.mitre.oval:def:1926
description Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. family unix id oval:org.mitre.oval:def:1726 status accepted submitted 2007-06-28T09:00:00.000-04:00 title Security Vulnerability in the Kerberos Administration Daemon (kadmind(1M)) May Lead to Arbitrary Code Execution version 36 accepted 2015-04-20T04:02:34.917-04:00 class vulnerability contributors name Chandan M C organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Sushant Kumar Singh organization Hewlett-Packard name Prashant Kumar organization Hewlett-Packard name Mike Cokus organization The MITRE Corporation
description Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. family unix id oval:org.mitre.oval:def:7550 status accepted submitted 2010-10-25T11:35:23.000-05:00 title HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code version 47 accepted 2013-04-29T04:24:00.367-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. family unix id oval:org.mitre.oval:def:9996 status accepted submitted 2010-07-09T03:56:16-04:00 title Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. version 27
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | CVE(CAN) ID: CVE-2004-0996,CVE-2004-2541,CVE-2005-0758,CVE-2005-3128,CVE-2006-2842,CVE-2006-3174,CVE-2006-4019,CVE-2006-6142,CVE-2007-0450,CVE-2007-0478,CVE-2007-1001,CVE-2007-1262,CVE-2007-1358,CVE-2007-1460,CVE-2007-1461,CVE-2007-1484,CVE-2007-1521,CVE-2007-1583,CVE-2007-1711,CVE-2007-1717,CVE-2007-1860,CVE-2007-2403,CVE-2007-2404,CVE-2007-2405,CVE-2007-2406,CVE-2007-2407,CVE-2007-2408,CVE-2007-2409,CVE-2007-2410,CVE-2007-2442,CVE-2007-2443,CVE-2007-2446,CVE-2007-2447,CVE-2007-2589,CVE-2007-2798,CVE-2007-3742,CVE-2007-3744,CVE-2007-3745,CVE-2007-3746,CVE-2007-3747,CVE-2007-3748,CVE-2007-3944 Mac OS X是苹果家族计算机所使用的操作系统。 Apple 2007-007安全更新修复了Mac OS X中的多个安全漏洞,远程或本地攻击者可能利用这些漏洞造成多种威胁。 具体条目包括: * CVE-2005-0758 bzgrep在处理畸形文件名时存在漏洞,攻击者通过诱使用户bzgrep恶意文件执行任意指令。 * CVE-2007-2403 Mac OS X在处理FTP URI时存在漏洞,攻击者可以诱使用户处理恶意FTP URI的用户在当前FTP会话中执行任意命令。 * CVE-2007-2404 CFNetwork处理HTTP回应数据时易受数据分割攻击的影响,可能导致跨站脚本执行。 * CVE-2007-3745 CoreAudio的Java接口允许释放任意的内存地址,远程攻击者可能利用此漏洞通过诱使用户访问一个恶意网页控制用户系统。 * CVE-2007-3746 CoreAudio的Java接口存在堆块边界访问漏洞,远程攻击者可能利用此漏洞通过诱使用户访问一个恶意网页控制用户系统。 * CVE-2007-3747 CoreAudio的Java接口允许在堆块以外的内存初始化或操作对象,远程攻击者可能利用此漏洞通过诱使用户访问一个恶意网页控制用户系统。 * CVE-2004-0996,CVE-2004-2541 Cscope存在多个漏洞,包括缓冲区溢出和不安全的方式创建临时文件,可能导致远程攻击者控制系统。 * CVE-2005-0758 zgrep在处理畸形文件名时存在漏洞,攻击者通过诱使用户zgrep恶意文件执行任意指令。 * CVE-2007-3748 iChat使用的UPnP IGD代码实现上存在缓冲区溢出漏洞,本地网络上的远程攻击者可能利用此漏洞导致拒绝服务或执行任意指令。 * CVE-2007-2442,CVE-2007-2443,CVE-2007-2798 MIT Kerberos kadmind实现上存在多个漏洞,攻击者可能利用这些漏洞导致拒绝服务或执行任意指认。 * CVE-2007-3744 mDNSResponder使用的UPnP IGD代码实现上存在缓冲区溢出漏洞,本地网络上的远程攻击者可能利用此漏洞导致拒绝服务或执行任意指令。 * CVE-2007-2405 Preview处理PDF文件的实现上存在整数溢出漏洞,攻击者可能利用此漏洞诱使用户处理恶意PDF文件控制用户系统。 * CVE-2007-1001,CVE-2007-1287,CVE-2007-1460,CVE-2007-1461,CVE-2007-1484,CVE-2007-1521,CVE-2007-1583,CVE-2007-1711,CVE-2007-1717 PHP的实现上存在多个漏洞,可能导致各种攻击。 * CVE-2007-2406 Quartz Composer实现上存在未初始化对象指针处理漏洞,攻击者可能诱使用户处理恶意文件控制用户系统。 * CVE-2007-2446 Samba的实现在处理畸形的RPC请求时存在堆缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 * CVE-2007-2447 Samba的实现在处理畸形RPC请求时存在命令注入漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。 * CVE-2007-2407 Samba的实现没有正确地处理权限的丢弃,导致磁盘限额绕过。 * CVE-2005-3128,CVE-2006-2842,CVE-2006-3174,CVE-2006-4019,CVE-2006-6142,CVE-2007-1262,CVE-2007-2589 SquirrelMail的实现上存在多个漏洞,可能导致跨站脚本执行。 * CVE-2005-2090,CVE-2007-0450,CVE-2007-1358,CVE-2007-1860 Tomcat实现上存在多个漏洞,可能导致跨站脚本执行和信息泄露。 * CVE-2007-2408 WebCore软件包实现上存在漏洞,可能导致不期望的Java applet执行。 * CVE-2007-0478 WebCore软件包在处理HTML标题的代码上存在漏洞,允许远程用户插入代码。 * CVE-2007-2409,CVE-2007-2410 WebCore软件包的实现上存在漏洞,可能导致浏览器信息泄露。 * CVE-2007-3742 WebKit软件包实现上存在漏洞,可能导致域名欺骗。 * CVE-2007-3944 Safari的JavaScript引擎使用的PCRE库实现上存在堆溢出漏洞,远程攻击者可能利用此漏洞通过诱使用户访问恶意网页控制用户系统。 Apple MacOS X 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://docs.info.apple.com/article.html?artnum=306172" target="_blank">http://docs.info.apple.com/article.html?artnum=306172</a> |
| id | SSV:2062 |
| last seen | 2017-11-19 |
| modified | 2007-08-02 |
| published | 2007-08-02 |
| reporter | Root |
| title | Mac OS X 2007-007更新修复多个安全漏洞 |
References
- ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc
- ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc
- http://docs.info.apple.com/article.html?artnum=306172
- http://docs.info.apple.com/article.html?artnum=306172
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02257427
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02257427
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02257427
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02257427
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=548
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=548
- http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
- http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html
- http://osvdb.org/36595
- http://osvdb.org/36595
- http://secunia.com/advisories/25800
- http://secunia.com/advisories/25800
- http://secunia.com/advisories/25801
- http://secunia.com/advisories/25801
- http://secunia.com/advisories/25814
- http://secunia.com/advisories/25814
- http://secunia.com/advisories/25821
- http://secunia.com/advisories/25821
- http://secunia.com/advisories/25870
- http://secunia.com/advisories/25870
- http://secunia.com/advisories/25875
- http://secunia.com/advisories/25875
- http://secunia.com/advisories/25888
- http://secunia.com/advisories/25888
- http://secunia.com/advisories/25890
- http://secunia.com/advisories/25890
- http://secunia.com/advisories/25894
- http://secunia.com/advisories/25894
- http://secunia.com/advisories/25911
- http://secunia.com/advisories/25911
- http://secunia.com/advisories/26033
- http://secunia.com/advisories/26033
- http://secunia.com/advisories/26228
- http://secunia.com/advisories/26228
- http://secunia.com/advisories/26235
- http://secunia.com/advisories/26235
- http://secunia.com/advisories/26909
- http://secunia.com/advisories/26909
- http://secunia.com/advisories/27706
- http://secunia.com/advisories/27706
- http://secunia.com/advisories/40346
- http://secunia.com/advisories/40346
- http://security.gentoo.org/glsa/glsa-200707-11.xml
- http://security.gentoo.org/glsa/glsa-200707-11.xml
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102985-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102985-1
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt
- http://www.debian.org/security/2007/dsa-1323
- http://www.debian.org/security/2007/dsa-1323
- http://www.kb.cert.org/vuls/id/554257
- http://www.kb.cert.org/vuls/id/554257
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:137
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:137
- http://www.novell.com/linux/security/advisories/2007_38_krb5.html
- http://www.novell.com/linux/security/advisories/2007_38_krb5.html
- http://www.redhat.com/support/errata/RHSA-2007-0384.html
- http://www.redhat.com/support/errata/RHSA-2007-0384.html
- http://www.redhat.com/support/errata/RHSA-2007-0562.html
- http://www.redhat.com/support/errata/RHSA-2007-0562.html
- http://www.securityfocus.com/archive/1/472289/100/0/threaded
- http://www.securityfocus.com/archive/1/472289/100/0/threaded
- http://www.securityfocus.com/archive/1/472432/100/0/threaded
- http://www.securityfocus.com/archive/1/472432/100/0/threaded
- http://www.securityfocus.com/archive/1/472507/30/5970/threaded
- http://www.securityfocus.com/archive/1/472507/30/5970/threaded
- http://www.securityfocus.com/bid/24653
- http://www.securityfocus.com/bid/24653
- http://www.securityfocus.com/bid/25159
- http://www.securityfocus.com/bid/25159
- http://www.securitytracker.com/id?1018295
- http://www.securitytracker.com/id?1018295
- http://www.trustix.org/errata/2007/0021/
- http://www.trustix.org/errata/2007/0021/
- http://www.ubuntu.com/usn/usn-477-1
- http://www.ubuntu.com/usn/usn-477-1
- http://www.us-cert.gov/cas/techalerts/TA07-177A.html
- http://www.us-cert.gov/cas/techalerts/TA07-177A.html
- http://www.vupen.com/english/advisories/2007/2337
- http://www.vupen.com/english/advisories/2007/2337
- http://www.vupen.com/english/advisories/2007/2370
- http://www.vupen.com/english/advisories/2007/2370
- http://www.vupen.com/english/advisories/2007/2491
- http://www.vupen.com/english/advisories/2007/2491
- http://www.vupen.com/english/advisories/2007/2732
- http://www.vupen.com/english/advisories/2007/2732
- http://www.vupen.com/english/advisories/2007/3229
- http://www.vupen.com/english/advisories/2007/3229
- http://www.vupen.com/english/advisories/2010/1574
- http://www.vupen.com/english/advisories/2010/1574
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35080
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35080
- https://issues.rpath.com/browse/RPL-1499
- https://issues.rpath.com/browse/RPL-1499
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1726
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1726
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7550
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7550
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9996
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9996
- https://secure-support.novell.com/KanisaPlatform/Publishing/327/3675615_f.SAL_Public.html
- https://secure-support.novell.com/KanisaPlatform/Publishing/327/3675615_f.SAL_Public.html