IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled


"Buffer Overrun Vulnerability in Kerberos Authentication Protocol"
May 17, 2000

The security experts from the Massachusetts Institute of Technology (MIT) and CERT Coordination Center have identified a serious vulnerability in some of the implementations of the Kerberos authentication protocol. This vulnerability was publicly disclosed on Bugtraq. A vulnerability has been found in Kerberos 4, and in Kerberos 5 which contains backwards compatibility with Kerberos 4. Intruders may gain root access over the network or locally by exploiting this vulnerability. The identified problem involves a buffer overrun in the krb_rd_req() function, a function that is essential to Kerberos-authenticated services using Kerberos 4. These include:

MIT Kerberos 5 releases,
MIT Kerberos 4 releases with Patch 10 and possibly earlier releases,
KerbNet running Cygnus implementation of Kerberos 5, and
Cygnus Network Security running Kerberos 4.

Daemons and services that may use the krb_rd_req() function for authentication are listed below. An intruder can remotely or locally exploit any of them to gain root access including:

Klogind (if Kerberos 4 authentication is used),
Telnetd (if Kerberos 4 authentication is used),
Ftpd (if Kerberos 4 authentication is used),
Rkinitd, and

Patches are available for the MIT implementation at web.mit.edu/kerberos/www/.

NIPC advises recipients who use the referenced Kerberos products to consult frequently the CERT Coordination Center at www.cert.org and MIT at web.mit.edu/kerberos/www/ for additional information on this vulnerability and patches. FBI/NIPC requests recipients immediately report information on any actual or attempted use of this exploit to the local FBI office or NIPC Watch and Warning Unit at 202-323-3204/05/06.