[OpenAFS] Buffer Overflow in kerberos / are we affected?

Rubino Geiß kb44@rz.uni-karlsruhe.de
Fri, 25 Oct 2002 11:31:57 +0200


See: http://www.ciac.org/ciac/bulletins/n-009.shtml

In brief:
PROBLEM: A stack buffer overflow in the implementation of the Kerberos
v4 compatibility administration daemon (kadmind4) in the MIT krb5
distribution could be exploited to gain unauthorized root access to a
KDC host.  

SOTFWARE: All releases of MIT Kerberos 5, up to and including
krb5-1.2.6.
All Kerberos 4 implementations derived from MIT Kerberos 4, including
Cygnus Network Security (CNS).  

DAMAGE:  A remote attacker could execute arbitrary code on the KDC with
the privileges of the user running kadmind4 (usually root).  

SOLUTION: Apply patch. 

Is the AFS kerberos impl. derived from MIT?

Hope we do not have a problem!


Bye, Rubino R. Geiss

--
Rubino Geiss, Universitaet Karlsruhe, IPD Goos
Postfach 6980, D-76128 Karlsruhe, GERMANY
Adenauerring 20a, 50.41 (AVG), Zi. 235
rubino@ipd.info.uni-karlsruhe.de
Tel: (+49) 721 / 608-8352
Fax: (+49) 721 / 30047