CVE-2007-2798 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Severity

74%

Complexity

44%

Confidentiality

165%

Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.

Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.

CVSS 2.0 Base Score 7.4. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:S/C:C/I:C/A:C).

Demo Examples

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119

This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.


               
}

                     
strcpy(hostname, hp->h_name);/*routine that ensures user_supplied_addr is in the right format for conversion */

This function allocates a buffer of 64 bytes to store the hostname, however there is no guarantee that the hostname will not be larger than 64 bytes. If an attacker specifies an address which resolves to a very large hostname, then we may overwrite sensitive data or even relinquish control flow to the attacker.

Note that this example also contains an unchecked return value (CWE-252) that can lead to a NULL pointer dereference (CWE-476).

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119

This example applies an encoding procedure to an input string and stores it into a buffer.


               
}

                     
return dst_buf;
die("user string too long, die evil hacker!");

                           
else dst_buf[dst_index++] = user_supplied_string[i];
dst_buf[dst_index++] = ';';

                                 

                                       /* encode to < */

The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119

The following example asks a user for an offset into an array to select an item.


               
}
printf("You selected %s\n", items[index-1]);

The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126).

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method


               
}

                     
return value;// check that the array index is less than the maximum// length of the array

                           
value = array[index];// get the value at the specified index of the array
// if array index is invalid then output error message// and return value indicating error
value = -1;

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.


               
...// check that the array index is within the correct// range of values for the array

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-119

Windows provides the _mbs family of functions to perform various operations on multibyte strings. When these functions are passed a malformed multibyte string, such as a string containing a valid leading byte followed by a single null byte, they can read or write past the end of the string buffer causing a buffer overflow. The following functions all pose a risk of buffer overflow: _mbsinc _mbsdec _mbsncat _mbsncpy _mbsnextc _mbsnset _mbsrev _mbsset _mbsstr _mbstok _mbccpy _mbslen

Overview

First reported 17 years ago

2007-06-26 22:30:00

Last updated 5 years ago

2020-01-21 15:45:00

Affected Software

MIT Kerberos

Mit Kerberos 5 -

Mit Kerberos 5 1.1

1.1

Mit Kerberos 5 1.2

1.2

Mit Kerberos 5 1.2.1

1.2.1

Mit Kerberos 5 1.2.2

1.2.2

Mit Kerberos 5 1.2.3

1.2.3

Mit Kerberos 5 1.2.4

1.2.4

Mit Kerberos 5 1.2.5

1.2.5

Mit Kerberos 5 1.2.6

1.2.6

Mit Kerberos 5 1.2.7

1.2.7

Mit Kerberos 5 1.2.8

1.2.8

Mit Kerberos 5 1.3

1.3

Mit Kerberos 5 1.3 Alpha 1

1.3

Mit Kerberos 5 1.3.1

1.3.1

Mit Kerberos 5 1.3.2

1.3.2

Mit Kerberos 5 1.3.3

1.3.3

Mit Kerberos 5 1.3.4

1.3.4

Mit Kerberos 5 1.3.5

1.3.5

Mit Kerberos 5 1.3.6

1.3.6

Mit Kerberos 5 1.4

1.4

Mit Kerberos 5 1.4.1

1.4.1

Mit Kerberos 5 1.4.2

1.4.2

Mit Kerberos 5 1.4.3

1.4.3

Mit Kerberos 5 1.4.4

1.4.4

Mit Kerberos 5 1.5

1.5

Mit Kerberos 5 1.5.1

1.5.1

Mit Kerberos 5 1.5.2

1.5.2

Mit Kerberos 5 1.5.3

1.5.3

Mit Kerberos 5 1.6

1.6

References

20070602-01-P

http://docs.info.apple.com/article.html?artnum=306172

SSRT100107

20070626 Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability

Exploit, Patch, Vendor Advisory

APPLE-SA-2007-07-31

20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player

36595

25800

Vendor Advisory

25801

Vendor Advisory

25814

Vendor Advisory

25821

Vendor Advisory

25870

Vendor Advisory

25875

Vendor Advisory

25888

Vendor Advisory

25890

Vendor Advisory

25894

Vendor Advisory

25911

Vendor Advisory

26033

Vendor Advisory

26228

Vendor Advisory

26235

Vendor Advisory

26909

Vendor Advisory

27706

Vendor Advisory

40346

Vendor Advisory

GLSA-200707-11

102985

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt

DSA-1323

VU#554257

Patch, US Government Resource

MDKSA-2007:137

SUSE-SA:2007:038

RHSA-2007:0384

RHSA-2007:0562

20070626 MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow

20070628 FLEA-2007-0029-1: krb5 krb5-workstation

20070629 TSLSA-2007-0021 - kerberos5

24653

25159

1018295

2007-0021

USN-477-1

TA07-177A

Patch, US Government Resource

ADV-2007-2337

ADV-2007-2370

Vendor Advisory

ADV-2007-2491

Vendor Advisory

ADV-2007-2732

ADV-2007-3229

Vendor Advisory

ADV-2010-1574

Vendor Advisory

kerberos-renameprincipal2svc-bo(35080)

https://issues.rpath.com/browse/RPL-1499

oval:org.mitre.oval:def:1726

oval:org.mitre.oval:def:7550

oval:org.mitre.oval:def:9996

https://secure-support.novell.com/KanisaPlatform/Publishing/327/3675615_f.SAL_Public.html

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.