Vulnerabilities > CVE-2007-4000 - Access of Uninitialized Pointer vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2007-690.NASL description This update incorporates fixes for a stack overflow in the rpcsec_gss implementation in libgssrpc (CVE-2007-3999) and a potential write through an uninitialized pointer in kadmind (CVE-2007-4000). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25980 published 2007-09-05 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25980 title Fedora Core 6 : krb5-1.5-22.fc6 (2007-690) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-690. # include("compat.inc"); if (description) { script_id(25980); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:26"); script_xref(name:"FEDORA", value:"2007-690"); script_name(english:"Fedora Core 6 : krb5-1.5-22.fc6 (2007-690)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update incorporates fixes for a stack overflow in the rpcsec_gss implementation in libgssrpc (CVE-2007-3999) and a potential write through an uninitialized pointer in kadmind (CVE-2007-4000). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-September/003625.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d7d8207b" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:6"); script_set_attribute(attribute:"patch_publication_date", value:"2007/09/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 6.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC6", reference:"krb5-debuginfo-1.5-22.fc6")) flag++; if (rpm_check(release:"FC6", reference:"krb5-devel-1.5-22.fc6")) flag++; if (rpm_check(release:"FC6", reference:"krb5-libs-1.5-22.fc6")) flag++; if (rpm_check(release:"FC6", reference:"krb5-server-1.5-22.fc6")) flag++; if (rpm_check(release:"FC6", reference:"krb5-workstation-1.5-22.fc6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-debuginfo / krb5-devel / krb5-libs / krb5-server / etc"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0858.NASL description Updated krb5 packages that fix two security flaws are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. Tenable Network Security discovered a stack-based buffer overflow flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-3999) Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-4000) These issues did not affect the versions of Kerberos distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 25987 published 2007-09-05 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25987 title RHEL 5 : krb5 (RHSA-2007:0858) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0858. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(25987); script_version ("1.34"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2007-3999", "CVE-2007-4000"); script_bugtraq_id(25534); script_xref(name:"RHSA", value:"2007:0858"); script_xref(name:"TRA", value:"TRA-2007-07"); script_name(english:"RHEL 5 : krb5 (RHSA-2007:0858)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated krb5 packages that fix two security flaws are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. Tenable Network Security discovered a stack-based buffer overflow flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-3999) Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-4000) These issues did not affect the versions of Kerberos distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-3999" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-4000" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2007:0858" ); script_set_attribute( attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2007-07" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 119, 264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/09/05"); script_set_attribute(attribute:"patch_publication_date", value:"2007/09/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2007:0858"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", reference:"krb5-devel-1.5-28")) flag++; if (rpm_check(release:"RHEL5", reference:"krb5-libs-1.5-28")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"krb5-server-1.5-28")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"krb5-server-1.5-28")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"krb5-server-1.5-28")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"krb5-workstation-1.5-28")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"krb5-workstation-1.5-28")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"krb5-workstation-1.5-28")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-server / krb5-workstation"); } }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0858.NASL description Updated krb5 packages that fix two security flaws are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. Tenable Network Security discovered a stack-based buffer overflow flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-3999) Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-4000) These issues did not affect the versions of Kerberos distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43650 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43650 title CentOS 5 : krb5 (CESA-2007:0858) NASL family SuSE Local Security Checks NASL id SUSE_KRB5-4191.NASL description This update of krb5 fixes two bugs in kadmind that can be used to execute arbitrary code remotely. (CVE-2007-3999, CVE-2007-4000) last seen 2020-06-01 modified 2020-06-02 plugin id 27310 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27310 title openSUSE 10 Security Update : krb5 (krb5-4191) NASL family Fedora Local Security Checks NASL id FEDORA_2007-2017.NASL description This update incorporates fixes for a stack overflow in the rpcsec_gss implementation in libgssrpc (CVE-2007-3999) and a potential write through an uninitialized pointer in kadmind (CVE-2007-4000). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27744 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27744 title Fedora 7 : krb5-1.6.1-3.fc7 (2007-2017) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200709-01.NASL description The remote host is affected by the vulnerability described in GLSA-200709-01 (MIT Kerberos 5: Multiple vulnerabilities) A stack-based buffer overflow (CVE-2007-3999) has been reported in svcauth_gss_validate() of the RPC library of kadmind. Another vulnerability (CVE-2007-4000) has been found in kadm5_modify_policy_internal(), which does not check the return values of krb5_db_get_policy() correctly. Impact : The RPC related vulnerability can be exploited by a remote unauthenticated attacker to execute arbitrary code with root privileges on the host running kadmind. The second vulnerability requires the remote attacker to be authenticated and to have last seen 2020-06-01 modified 2020-06-02 plugin id 26041 published 2007-09-14 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/26041 title GLSA-200709-01 : MIT Kerberos 5: Multiple vulnerabilities NASL family Scientific Linux Local Security Checks NASL id SL_20070904_KRB5_ON_SL5_X.NASL description Tenable Network Security discovered a stack-based buffer overflow flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-3999) Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-4000) last seen 2020-06-01 modified 2020-06-02 plugin id 60248 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60248 title Scientific Linux Security Update : krb5 on SL5.x i386/x86_64 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-511-1.NASL description It was discovered that the libraries handling RPCSEC_GSS did not correctly validate the size of certain packet structures. An unauthenticated remote user could send a specially crafted request and execute arbitrary code with root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28115 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28115 title Ubuntu 6.06 LTS / 6.10 / 7.04 : krb5, librpcsecgss vulnerability (USN-511-1) NASL family SuSE Local Security Checks NASL id SUSE_KRB5-4248.NASL description This update improves the patch for the previously released security update of krb5 to fix CVE-2007-3999 and CVE-2007-4000. (CVE-2007-4743) last seen 2020-06-01 modified 2020-06-02 plugin id 27311 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27311 title openSUSE 10 Security Update : krb5 (krb5-4248) NASL family SuSE Local Security Checks NASL id SUSE_KRB5-4249.NASL description This update improves the patch for the previously released security update of krb5 to fix CVE-2007-3999 / CVE-2007-4000. (CVE-2007-4743) last seen 2020-06-01 modified 2020-06-02 plugin id 29495 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/29495 title SuSE 10 Security Update : Kerberos 5 (ZYPP Patch Number 4249) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0858.NASL description From Red Hat Security Advisory 2007:0858 : Updated krb5 packages that fix two security flaws are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. Tenable Network Security discovered a stack-based buffer overflow flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. On Red Hat Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-3999) Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-4000) These issues did not affect the versions of Kerberos distributed with Red Hat Enterprise Linux 2.1, 3, or 4. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67562 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67562 title Oracle Linux 5 : krb5 (ELSA-2007-0858) NASL family SuSE Local Security Checks NASL id SUSE_KRB5-4192.NASL description This update of krb5 fixes two bugs in kadmind that can be used to execute arbitrary code remotely. (CVE-2007-3999 / CVE-2007-4000) last seen 2020-06-01 modified 2020-06-02 plugin id 29494 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/29494 title SuSE 10 Security Update : Kerberos (ZYPP Patch Number 4192) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-174.NASL description A stack-based buffer overflow vulnerability was discovered in the RPC library used by Kerberos last seen 2020-06-01 modified 2020-06-02 plugin id 26006 published 2007-09-07 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/26006 title Mandrake Linux Security Advisory : krb5 (MDKSA-2007:174-1)
Oval
| accepted | 2013-04-29T04:18:38.662-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9278 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 25533 CVE(CAN) ID: CVE-2007-4000 Kerberos是一款广泛使用的使用强壮的加密来验证客户端和服务器端的网络协议。MIT Kerberos 5是一种常用的开源Kerberos实现。 src/lib/kadm5/srv/svr_policy.c文件中的kadm5_modify_policy_internal()函数没有正确的检查krb5_db_get_policy()的返回值。如果策略不存在的话,krb5_db_get_policy()会返回0,但没有初始化输出指针便将计数器检索记录设置为0,而kadm5_modify_policy_internal()中之后的代码试图通过这个指针写入数据,导致内存破坏。 拥有modify policy权限的已认证用户可以利用这个漏洞入侵运行kadmind的主机并执行任意代码,不成功的攻击也可能导致kadmind崩溃。 MIT Kerberos 5 5-1.5 - 5-1.6.2 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://web.mit.edu/kerberos/advisories/2007-006-patch.txt.asc" target="_blank">http://web.mit.edu/kerberos/advisories/2007-006-patch.txt.asc</a> RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2007:0858-01)以及相应补丁: RHSA-2007:0858-01:Important: krb5 security update 链接:<a href="https://www.redhat.com/support/errata/RHSA-2007-0858.html" target="_blank">https://www.redhat.com/support/errata/RHSA-2007-0858.html</a> |
| id | SSV:2190 |
| last seen | 2017-11-19 |
| modified | 2007-09-06 |
| published | 2007-09-06 |
| reporter | Root |
| title | MIT Kerberos 5 KAdminD服务程序未初始化指针远程代码执行漏洞 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=250976
- http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt
- http://www.redhat.com/support/errata/RHSA-2007-0858.html
- https://issues.rpath.com/browse/RPL-1696
- https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00087.html
- http://www.gentoo.org/security/en/glsa/glsa-200709-01.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:174
- http://www.novell.com/linux/security/advisories/2007_19_sr.html
- http://www.kb.cert.org/vuls/id/377544
- http://www.securityfocus.com/bid/25533
- http://www.securitytracker.com/id?1018647
- http://secunia.com/advisories/26680
- http://secunia.com/advisories/26728
- http://secunia.com/advisories/26676
- http://secunia.com/advisories/26700
- http://secunia.com/advisories/26783
- http://secunia.com/advisories/26987
- http://securityreason.com/securityalert/3092
- http://www.vupen.com/english/advisories/2007/3051
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36438
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9278
- http://www.securityfocus.com/archive/1/478794/100/0/threaded