Bugtraq mailing list archives
Clarification/further info on Kerberos issues
From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Thu, 18 May 2000 19:40:27 +0100
Hi, I read with interest the recent post on Kerberos security issues. I was mildly disappointed not be credited; I started discovering Kerberos issues a month ago. In fact the first problem I demonstrated was the kd_mq_req() problem. Original demonstration details pasted at end of mail. The main point of this mail, though, is to advise people to be wary of assuming that MIT-Kerberos is now "safe". The team need to perform a thorough audit of all the code. The type and extent of issues they face is illustrated by the following mail I sent a couple of weeks ago. I found these issues by tracing through the code path available to malicious users via "v4rcp", a suid-root application. Something that needs noting - a full install of RedHat6.2 includes a suid-root "v4rcp" (even if the user has not enabled the Kerberised services, which are luckily not enabled in the default setup). I demonstrate the exploitability of this, via "v4rcp", below in one of my original mails. One final point before I start quoting mails - most issues (maybe all) were fixed in KTH Kerberos code-base, which I browsed via the Web from www.openbsd.org. Cheers Chris Quote1: Illustration of extend of problems present ===========================================================
Current thread:
- Clarification/further info on Kerberos issues Chris Evans (May 18)