漏洞信息详情

MIT Kerberos RPC库gssrpc__svcauth_gssapi()函数未初始化指针释放漏洞

漏洞简介

Kerberos是美国麻省理工学院(MIT)开发的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。MIT Kerberos 5(又名krb5)是美国麻省理工学院(MIT)开发的一套网络认证协议,它采用客户端/服务器结构,并且客户端和服务器端均可对对方进行身份认证(即双重验证),可防止窃听、防止replay攻击等。

Kerberos在处理畸形的RPC数据时存在漏洞,远程攻击者可能利用此漏洞导致服务崩溃。

Kerberos src/lib/rpc/svc_auth_gssapi.c文件中的gssrpc__svcauth_gssapi()函数声明了auth_gssapi_creds类型的自动变量creds,这个类型包含有gss_buffer_desc。如果gssrpc__svcauth_gssapi()接收到了长度为0的RPC凭据的话,就会跳转到error标签执行一些清除代码。这时creds中的gss_buffer_desc仍未被初始化,而清除代码试图对creds调用xdr_free(),然后xdr_free()试图释放gss_buffer_desc未初始化的value成员所指向的内存。很难利用释放无效指针执行任意代码,取决于特定malloc实现中的各种因素。成功攻击可能导致完全入侵Kerberos密钥数据库,破坏KDC主机的安全性(kadmind通常以root用户权限运行),不成功的攻击也会导致kadmind崩溃。

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:

Debian

------

Debian已经为此发布了一个安全公告(DSA-1323-1)以及相应补丁:

DSA-1323-1:New krb5 packages fix several vulnerabilities

链接:

http://www.debian.org/security/2007/dsa-1323

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge5.dsc

Size/MD5 checksum:782 b600466763baa4f89a8fed5a832eb9d3

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge5.diff.gz

Size/MD5 checksum: 669293 0e9dfa39e8db2e0ce871ba40c46c925e

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6.orig.tar.gz

Size/MD5 checksum:6526510 7974d0fc413802712998d5fc5eec2919

Architecture independent components:

http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.3.6-2sarge5_all.deb

Size/MD5 checksum: 718836 58c01536ff87db5d3492264349fe844c

Alpha architecture:

http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum: 115250 ac5498fab92f1047f47f45bb8269fcee

http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum: 247680 f5201ab228a84b6f25ed42e422f6fd92

http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum:62994 fd67dbebb83e11fe7a8d35b4a5209293

http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum: 137138 d44e84b8e1c36215644d8224ae685e96

http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum:89720 a4b4f7829ef043e7013887fdb967606f

http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum:72246 cf93e00c42669deba711fcfbde5285c8

http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum: 144880 e71073e49208fae27ef0a20c7920ad48

http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum: 201848 7e5171239d1e3970665029a2286acbb4

http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum: 861082 4017652625bc8408d5e1eb3f056699c4

http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge5_alpha.deb

Size/MD5 checksum: 422580 385ae85ece57a191de28006b2b1ed342

AMD64 architecture:

http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum: 104806 d3cb00189b4a3860ed2c89620733d4bb

http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum: 216896 c33630904c3b747231ab395734213076

http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum:56952 7a55c1a696cf6d7afe84fdbc0ecc59c5

http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum: 124744 600f391ee2adc80b057309ccd45b0748

http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum:82710 8baedacdf63faf0bf27c41997f15a0d7

http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum:63508 9b9d4ab137302d171649de86dbd5f2a7

http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum: 137754 536e88b5bdab0b8385fdd151d7295555

http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum: 177638 47af31f544051191e34a81bb230f3e69

http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum: 652300 64c39da5cd28173831c590c1a61024e1

http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge5_amd64.deb

Size/MD5 checksum: 369328 e69e658a600a340b7a981052cc93ba9f

ARM architecture:

http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge5_arm.deb

Size/MD5 checksum:93646 faaef2bab601737cacaf68e76e3dbf34

http://security.debian.org/pool/updates/main/k/krb5/krb5-c

参考网址

来源: US-CERT

名称: TA07-177A

链接:http://www.us-cert.gov/cas/techalerts/TA07-177A.html

来源: US-CERT

名称: VU#356961

链接:http://www.kb.cert.org/vuls/id/356961

来源: web.mit.edu

链接:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt

来源: BUGTRAQ

名称: 20070629 TSLSA-2007-0021 - kerberos5

链接:http://www.securityfocus.com/archive/1/archive/1/472507/30/5970/threaded

来源: secure-support.novell.com

链接:https://secure-support.novell.com/KanisaPlatform/Publishing/773/3248163_f.SAL_Public.html

来源: issues.rpath.com

链接:https://issues.rpath.com/browse/RPL-1499

来源: XF

名称: kerberos-gssrpcsvcauthgssapi-code-execution(35082)

链接:http://xforce.iss.net/xforce/xfdb/35082

来源: UBUNTU

名称: USN-477-1

链接:http://www.ubuntu.com/usn/usn-477-1

来源: TRUSTIX

名称: 2007-0021

链接:http://www.trustix.org/errata/2007/0021/

来源: SECTRACK

名称: 1018293

链接:http://www.securitytracker.com/id?1018293

来源: BID

名称: 25159

链接:http://www.securityfocus.com/bid/25159

来源: BID

名称: 24655

链接:http://www.securityfocus.com/bid/24655

来源: BUGTRAQ

名称: 20070628 FLEA-2007-0029-1: krb5 krb5-workstation

链接:http://www.securityfocus.com/archive/1/archive/1/472432/100/0/threaded

来源: BUGTRAQ

名称: 20070626 MITKRB5-SA-2007-004: kadmind multiple RPC lib vulnerabilities

链接:http://www.securityfocus.com/archive/1/archive/1/472288/100/0/threaded

来源: REDHAT

名称: RHSA-2007:0562

链接:http://www.redhat.com/support/errata/RHSA-2007-0562.html

来源: REDHAT

名称: RHSA-2007:0384

链接:http://www.redhat.com/support/errata/RHSA-2007-0384.html

来源: SUSE

名称: SUSE-SA:2007:038

链接:http://www.novell.com/linux/security/advisories/2007_38_krb5.html

来源: MANDRIVA

名称: MDKSA-2007:137

链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:137

来源: VUPEN

名称: ADV-2007-3229

链接:http://www.frsirt.com/english/advisories/2007/3229

来源: VUPEN

名称: ADV-2007-2732

链接:http://www.frsirt.com/english/advisories/2007/2732

来源: VUPEN

名称: ADV-2007-2491

链接:http://www.frsirt.com/english/advisories/2007/2491

来源: VUPEN

名称: ADV-2007-2354

链接:http://www.frsirt.com/english/advisories/2007/2354

来源: VUPEN

名称: ADV-2007-2337

链接:http://www.frsirt.com/english/advisories/2007/2337

来源: DEBIAN

名称: DSA-1323

链接:http://www.debian.org/security/2007/dsa-1323

来源: web.mit.edu

链接:http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt

来源: SUNALERT

名称: 102914

链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102914-1

来源: GENTOO

名称: GLSA-200707-11

链接:http://security.gentoo.org/glsa/glsa-200707-11.xml

来源: SECUNIA

名称: 27706

链接:http://secunia.com/advisories/27706

来源: SECUNIA

名称: 26909

链接:http://secunia.com/advisories/26909

来源: SECUNIA

名称: 26235

链接:http://secunia.com/advisories/26235

来源: SECUNIA

名称: 26228

链接:http://secunia.com/advisories/26228

来源: SECUNIA

名称: 26033

链接:http://secunia.com/advisories/26033

来源: SECUNIA

名称: 25911

链接:http://secunia.com/advisories/25911

来源: SECUNIA

名称: 25894

链接:http://secunia.com/advisories/25894

来源: SECUNIA

名称: 25890

链接:http://secunia.com/advisories/25890

来源: SECUNIA

名称: 25888

链接:http://secunia.com/advisories/25888

来源: SECUNIA

名称: 25870

链接:http://secunia.com/advisories/25870

来源: SECUNIA

名称: 25841

链接:http://secunia.com/advisories/25841

来源: SECUNIA

名称: 25821

链接:http://secunia.com/advisories/25821

来源: SECUNIA

名称: 25814

链接:http://secunia.com/advisories/25814

来源: SECUNIA

名称: 25801

链接:http://secunia.com/advisories/25801

来源: SECUNIA

名称: 25800

链接:http://secunia.com/advisories/25800

来源: FULLDISC

名称: 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player

链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html

来源: APPLE

名称: APPLE-SA-2007-07-31

链接:http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html

来源: docs.info.apple.com

链接:http://docs.info.apple.com/article.html?artnum=306172

来源: SGI

名称: 2007060

受影响实体

补丁

    暂无

漏洞信息快速查询

相关漏洞

更多