AUSCERT External Security Bulletin Redistribution

                 ESB-2002.594 -- CERT Advisory CA-2002-29
             Buffer Overflow in Kerberos Administration Daemon
                              28 October 2002


        AusCERT Security Bulletin Summary

Product:                MIT Kerberos version 4 and version 5 up to and
                         including krb5-1.2.6
                        KTH eBones prior to version 1.2.1
                        KTH Heimdal prior to version 0.5.1
                        Other Kerberos implementations derived from
                         vulnerable MIT or KTH code
Vendor:                 CERT/CC
Impact:                 Root Compromise
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon

   Original issue date: October 25, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * MIT  Kerberos  version  4  and  version  5  up  to  and  including
     * KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version
     * Other  Kerberos implementations derived from vulnerable MIT or KTH


   Multiple  Kerberos distributions contain a remotely exploitable buffer
   overflow  in  the  Kerberos  administration  daemon. A remote attacker
   could  exploit  this  vulnerability  to  gain  root  privileges  on  a
   vulnerable system.

   The CERT/CC has received reports that indicate that this vulnerability
   is  being  exploited.  In  addition,  MIT advisory MITKRB5-SA-2002-002
   notes that an exploit is circulating.

   We strongly encourage sites that use vulnerable Kerberos distributions
   to  verify the integrity of their systems and apply patches or upgrade
   as appropriate.

I. Description

   Kerberos   is   a  widely  used  network  protocol  that  uses  strong
   cryptography   to  authenticate  clients  and  servers.  The  Kerberos
   administration  daemon  (typically  called  kadmind)  handles password
   change  and other requests to modify the Kerberos database. The daemon
   runs  on the master Key Distribution Center (KDC) server of a Kerberos

   The   code   that   provides   legacy   support  for  the  Kerberos  4
   administration   protocol   contains  a  remotely  exploitable  buffer
   overflow.  The  vulnerable code does not adequately validate data read
   from  a network request. This data is subsequently used as an argument
   to  a  memcpy()  call,  which  can  overflow a buffer allocated on the
   stack.  An  attacker does not have to authenticate in order to exploit
   this  vulnerability,  and the Kerberos administration daemon runs with
   root privileges.

   Both  Massachusetts  Institute  of Technology (MIT) and Kungl Tekniska
   Högskolan  (KTH)  Kerberos are affected, as well as operating systems,
   applications,  and  other Kerberos implementations that use vulnerable
   code derived from either the MIT or KTH distributions. In MIT Kerberos
   5, the Kerberos 4 administration daemon is implemented in kadmind4. In
   KTH  Kerberos  4  (eBones),  the  Kerberos  administration  daemon  is
   implemented  in  kadmind. KTH Kerberos 5 (Heimdal) also implements the
   daemon  in  kadmind;  however,  the Heimdal daemon is only affected if
   compiled  with  Kerberos  4  support.  Since  the  vulnerable Kerberos
   administration  daemon  is  included  in  the  MIT  Kerberos 5 and KTH
   Heimdal distributions, both Kerberos 4 sites and Kerberos 5 sites that
   enable   support  for  the  Kerberos  4  administration  protocol  are

   Further   information   about  this  vulnerability  may  be  found  in

   MIT  has  released  an  advisory  that contains information about this


   The  KTH  eBones  and Heimdal web sites also contain information about
   this vulnerability:

     KTH eBones

     KTH Heimdal

   In  addition  to  resolving  the vulnerability described in VU#875073,
   version  0.51  of KTH Heimdal contains other fixes related to the KDC.
   See the ChangeLog for more information:


   This  vulnerability  has  been  assigned  CAN-2002-1235  by the Common
   Vulnerabilities and Exposures (CVE) group.

II. Impact

   An  unauthenticated, remote attacker could execute arbitrary code with
   root  privileges.  If  an attacker is able to gain control of a master
   KDC,  the  integrity  of  the  entire  Kerberos  realm is compromised,
   including  user  and  host  identities  and  other systems that accept
   Kerberos authentication.

III. Solution

Apply a patch or upgrade

   Apply  the  appropriate  patch or upgrade as specified by your vendor.
   See Appendix A below and the Systems Affected section of VU#875073 for
   specific information.

Disable vulnerable service

   Disable  support  for  the Kerberos 4 administration protocol if it is
   not  needed.  In  MIT  Kerberos  5,  this can be achieved by disabling
   kadmind4.  For  information  about disabling all Kerberos 4 support in
   MIT Kerberos 5 at compile time, see


   In  KTH  Heimdal,  it  is  necessary  to recompile kadmind in order to
   disable  support  for  the  Kerberos  4  administration  protocol. For
   information  about  disabling all Kerberos 4 support in KTH Heimdal at
   compile time, see


   This  solution  will  prevent  Kerberos  4 administrative clients from
   accessing  the  Kerberos  database.  It  will  also prevent users with
   Kerberos  4  clients  from  changing  their passwords. In general, the
   CERT/CC  recommends  disabling  any  service  that  is  not explicitly

Block or restrict access

   Block  access  to  the  Kerberos administration service from untrusted
   networks  such  as the Internet. Furthermore, only allow access to the
   service  from trusted administrative hosts. By default, the Kerberos 4
   administration daemon listens on 751/tcp and 751/udp, and the Kerberos
   5  administration  daemon  listens  on  749/tcp and 749/udp. It may be
   necessary  to block access to the Kerberos 5 administration service if
   the  daemon also supports the Kerberos 4 administration protocol. This
   workaround will prevent administrative connections and password change
   requests  from  blocked  networks.  Note that this workaround will not
   prevent  exploitation,  but  it  will  limit  the  possible sources of

Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information,  this section is updated and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have not received their comments.

Apple Computer, Inc.

     The  Kerberos  Administration Daemon was included in Mac OS X 10.0,
     but removed in Mac OS X 10.1 and later.
     We  encourage  sites  that use vulnerable Kerberos distributions to
     verify  the integrity of their systems and apply patches or upgrade
     as appropriate.


     Our  MIT  Kerberos  5  packages in Conectiva Linux 8 do contain the
     vulnerable kadmind4 daemon, but it is not used by default nor is it
     installed as a service.

     Updated packages are being uploaded to our ftp server and should be
     available in a few hours at:


     The  krb5-server-1.2.3-3U8_3cl.i386.rpm  package contains a patched
     kadmind4  daemon.  An  announcement  will  be  sent to our security
     mailing list a few hours after the upload is complete.


     Debian has released DSA-178:



     Both the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind
     v4  compatibility)  daemons were vulnerable and have been corrected
     as  of  23  October  2002.  In addition, the heimdal and krb5 ports
     contained  the  same vulnerability and have been corrected as of 24
     October 2002. A Security Advisory is in progress.

KTH Kerberos

     The  eBones  and  Heimdal  web  sites  have  information about this

       KTH eBones
       KTH Heimdal

Microsoft Corporation

     Microsoft's  implementation  of  Kerberos  is  not affected by this

MIT Kerberos

     MIT has released MIT krb5 Security Advisory 2002-002:



     NetBSD has released NetBSD-SA2002-026:



     OpenBSD  has released Security Fix 016 for OpenBSD 3.1 and Security
     Fix 033 for OpenBSD 3.0.

       OpenBSD 3.1

       OpenBSD 3.0


     Openwall GNU/*/Linux is not vulnerable. We don't provide Kerberos.


     SuSE  Linux  7.2  and  later  are  shipped  with  Heimdal  Kerberos
     included,  but  Kerberos  4  support  is  disabled in all releases.
     Therefore, SuSE Linux and SuSE Enterprise Linux are not affected by
     this bug. [See also: SuSE-SA:2002:034]

Wind River Systems (BSDI)

     No version of BSD/OS is vulnerable to this problem.

Appendix B. References

     * http://web.mit.edu/kerberos/www/
     * http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kad
     * http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.ht
     * http://www.pdc.kth.se/kth-krb/
     * http://www.pdc.kth.se/heimdal/
     * http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Instal


   Authors: Art Manion and Jason A. Rafail.

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History

   October 25, 2002: Initial release

Version: PGP 6.5.8


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key