CNNVD-ID编号 | CNNVD-200706-482 |
CVE编号 | CVE-2007-2798 |
发布时间 | 2006-06-01 |
更新时间 | 2007-08-13 |
漏洞类型 | 缓冲区溢出 |
漏洞来源 | N/A |
危险等级 | 高危 |
威胁类型 | 特定网络环境 |
厂 商 | mit |
Kerberos是美国麻省理工学院(MIT)开发的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。MIT Kerberos 5(又名krb5)是美国麻省理工学院(MIT)开发的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。
Kerberos中负责处理重新命名主体的代码中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。
rename_principal_2_svc函数没有对用户提供数据执行边界检查便拷贝到了固定大小的缓冲区,漏洞代码如下:
542 generic_ret *
543 rename_principal_2_svc(rprinc_arg *arg, struct svc_req *rqstp)
544 {
545 static generic_ret ret;
546 char *prime_arg1,
547 *prime_arg2;
548 char prime_arg[BUFSIZ];
...
570 if (krb5_unparse_name(handle->context, arg->src, &prime_arg1) ||
571 krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) {
572 ret.code = KADM5_BAD_PRINCIPAL;
573 goto exit_func;
574 }
575 sprintf(prime_arg, \"\\%s to \\%s\", prime_arg1, prime_arg2);
在570和571行从kadmind服务程序环境中获得了攻击者提供的数据,在575行以静态文本连接源主体名和目标主体名时会出现栈溢出。
成功攻击可能导致完全入侵Kerberos密钥数据库,破坏KDC主机的安全性(kadmind通常以root权限运行),不成功的攻击也会导致kadmind崩溃。
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1323-1)以及相应补丁:
DSA-1323-1:New krb5 packages fix several vulnerabilities
链接:
http://www.debian.org/security/2007/dsa-1323
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge5.dsc
Size/MD5 checksum:782 b600466763baa4f89a8fed5a832eb9d3
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge5.diff.gz
Size/MD5 checksum: 669293 0e9dfa39e8db2e0ce871ba40c46c925e
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6.orig.tar.gz
Size/MD5 checksum:6526510 7974d0fc413802712998d5fc5eec2919
Architecture independent components:
http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.3.6-2sarge5_all.deb
Size/MD5 checksum: 718836 58c01536ff87db5d3492264349fe844c
Alpha architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum: 115250 ac5498fab92f1047f47f45bb8269fcee
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum: 247680 f5201ab228a84b6f25ed42e422f6fd92
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum:62994 fd67dbebb83e11fe7a8d35b4a5209293
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum: 137138 d44e84b8e1c36215644d8224ae685e96
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum:89720 a4b4f7829ef043e7013887fdb967606f
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum:72246 cf93e00c42669deba711fcfbde5285c8
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum: 144880 e71073e49208fae27ef0a20c7920ad48
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum: 201848 7e5171239d1e3970665029a2286acbb4
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum: 861082 4017652625bc8408d5e1eb3f056699c4
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge5_alpha.deb
Size/MD5 checksum: 422580 385ae85ece57a191de28006b2b1ed342
AMD64 architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum: 104806 d3cb00189b4a3860ed2c89620733d4bb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum: 216896 c33630904c3b747231ab395734213076
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum:56952 7a55c1a696cf6d7afe84fdbc0ecc59c5
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum: 124744 600f391ee2adc80b057309ccd45b0748
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum:82710 8baedacdf63faf0bf27c41997f15a0d7
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum:63508 9b9d4ab137302d171649de86dbd5f2a7
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum: 137754 536e88b5bdab0b8385fdd151d7295555
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum: 177638 47af31f544051191e34a81bb230f3e69
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum: 652300 64c39da5cd28173831c590c1a61024e1
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge5_amd64.deb
Size/MD5 checksum: 369328 e69e658a600a340b7a981052cc93ba9f
ARM architecture:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge5_arm.deb
Size/MD5 checksum:93646 faaef2bab601737cacaf68e76e3dbf34
http://security.debian.org/pool/updates/main/k/krb5/krb5-c
来源: US-CERT
名称: TA07-177A
来源: US-CERT
名称: VU#554257
来源: IDEFENSE
名称: 20070626 Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability
链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=548
来源: issues.rpath.com
来源: XF
名称: kerberos-renameprincipal2svc-bo(35080)
来源: UBUNTU
名称: USN-477-1
来源: SECTRACK
名称: 1018295
来源: BID
名称: 25159
来源: BID
名称: 24653
来源: BUGTRAQ
名称: 20070629 TSLSA-2007-0021 - kerberos5
链接:http://www.securityfocus.com/archive/1/archive/1/472507/30/5970/threaded
来源: BUGTRAQ
名称: 20070628 FLEA-2007-0029-1: krb5 krb5-workstation
链接:http://www.securityfocus.com/archive/1/archive/1/472432/100/0/threaded
来源: BUGTRAQ
名称: 20070626 MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow
链接:http://www.securityfocus.com/archive/1/archive/1/472289/100/0/threaded
来源: REDHAT
名称: RHSA-2007:0562
来源: REDHAT
名称: RHSA-2007:0384
来源: SUSE
名称: SUSE-SA:2007:038
链接:http://www.novell.com/linux/security/advisories/2007_38_krb5.html
来源: MANDRIVA
名称: MDKSA-2007:137
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:137
来源: VUPEN
名称: ADV-2007-3229
来源: VUPEN
名称: ADV-2007-2732
来源: VUPEN
名称: ADV-2007-2491
来源: VUPEN
名称: ADV-2007-2370
来源: VUPEN
名称: ADV-2007-2337
来源: DEBIAN
名称: DSA-1323
来源: web.mit.edu
链接:http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt
来源: SUNALERT
名称: 102985
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102985-1
来源: GENTOO
名称: GLSA-200707-11
来源: SECUNIA
名称: 27706
来源: SECUNIA
名称: 26909
来源: SECUNIA
名称: 26235
来源: SECUNIA
名称: 26228
来源: SECUNIA
名称: 26033
来源: SECUNIA
名称: 25911
来源: SECUNIA
名称: 25894
来源: SECUNIA
名称: 25890
来源: SECUNIA
名称: 25888
来源: SECUNIA
名称: 25875
来源: SECUNIA
名称: 25870
来源: SECUNIA
名称: 25821
来源: SECUNIA
名称: 25814
来源: SECUNIA
名称: 25801
来源: SECUNIA
名称: 25800
来源: APPLE
名称: APPLE-SA-2007-07-31
链接:http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
来源: docs.info.apple.com
来源: SGI
名称: 20070602-01-P
链接:链接:ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc