ID CVE-2004-0643
Summary Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.
References
Vulnerable Configurations
  • MIT Kerberos 5 1.3.1
    cpe:2.3:a:mit:kerberos:5-1.3.1
CVSS
Base: 4.6 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Misc.
    NASL id KERBEROS5_ISSUES.NASL
    description The remote host is running Kerberos 5. There are multiple flaws that affect this product. Make sure you are running the latest version with the latest patches. Note that Nessus could not check for any of the flaws and solely relied on the presence of the service to issue an alert, so this might be a false positive.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 11512
    published 2003-04-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11512
    title Kerberos 5 < 1.3.5 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-277.NASL
    description Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue does not affect Fedora Core. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14593
    published 2004-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14593
    title Fedora Core 2 : krb5-1.3.4-6 (2004-277)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-276.NASL
    description Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue does not affect Fedora Core. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14592
    published 2004-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14592
    title Fedora Core 1 : krb5-1.3.4-5 (2004-276)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-448.NASL
    description Updated Kerberos (krb5) packages that correct double-free and ASN.1 parsing bugs are now available for Red Hat Enterprise Linux. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue was fixed for Red Hat Enterprise Linux 2.1 users by a previous erratum, RHSA-2003:052. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 14596
    published 2004-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14596
    title RHEL 2.1 : krb5 (RHSA-2004:448)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-543.NASL
    description The MIT Kerberos Development Team has discovered a number of vulnerabilities in the MIT Kerberos Version 5 software. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CAN-2004-0642 [VU#795632] A double-free error may allow unauthenticated remote attackers to execute arbitrary code on KDC or clients. - CAN-2004-0643 [VU#866472] Several double-free errors may allow authenticated attackers to execute arbitrary code on Kerberos application servers. - CAN-2004-0644 [VU#550464] A remotely exploitable denial of service vulnerability has been found in the KDC and libraries. - CAN-2004-0772 [VU#350792] Several double-free errors may allow remote attackers to execute arbitrary code on the server. This does not affect the version in woody.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 15380
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15380
    title Debian DSA-543-1 : krb5 - several vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_86A98B57FB8E11D89343000A95BC6FAE.NASL
    description An advisory published by the MIT Kerberos team says : The MIT Kerberos 5 implementation's Key Distribution Center (KDC) program contains a double-free vulnerability that potentially allows a remote attacker to execute arbitrary code. Compromise of a KDC host compromises the security of the entire authentication realm served by the KDC. Additionally, double-free vulnerabilities exist in MIT Kerberos 5 library code, making client programs and application servers vulnerable. Double-free vulnerabilities of this type are not believed to be exploitable for code execution on FreeBSD systems. However, the potential for other ill effects may exist.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 37617
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37617
    title FreeBSD : krb5 -- double-free vulnerabilities (86a98b57-fb8e-11d8-9343-000a95bc6fae)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200409-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-200409-09 (MIT krb5: Multiple vulnerabilities) The implementation of the Key Distribution Center (KDC) and the MIT krb5 library contain double-free vulnerabilities, making client programs as well as application servers vulnerable. The ASN.1 decoder library is vulnerable to a denial of service attack, including the KDC. Impact : The double-free vulnerabilities could allow an attacker to execute arbitrary code on a KDC host and hosts running krb524d or vulnerable services. In the case of a KDC host, this can lead to a compromise of the entire Kerberos realm. Furthermore, an attacker impersonating a legitimate KDC or application server can potentially execute arbitrary code on authenticating clients. An attacker can cause a denial of service for a KDC or application server and clients, the latter if impersonating a legitimate KDC or application server. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 14666
    published 2004-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14666
    title GLSA-200409-09 : MIT krb5: Multiple vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-350.NASL
    description Updated krb5 packages that improve client responsiveness and fix several security issues are now available for Red Hat Enterprise Linux 3. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue does not affect Red Hat Enterprise Linux 3 Kerberos packages. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. When attempting to contact a KDC, the Kerberos libraries will iterate through the list of configured servers, attempting to contact each in turn. If one of the servers becomes unresponsive, the client will time out and contact the next configured server. When the library attempts to contact the next KDC, the entire process is repeated. For applications which must contact a KDC several times, the accumulated time spent waiting can become significant. This update modifies the libraries, notes which server for a given realm last responded to a request, and attempts to contact that server first before contacting any of the other configured servers. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 14595
    published 2004-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14595
    title RHEL 3 : krb5 (RHSA-2004:350)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-088.NASL
    description A double-free vulnerability exists in the MIT Kerberos 5's KDC program that could potentially allow a remote attacker to execute arbitrary code on the KDC host. As well, multiple double-free vulnerabilities exist in the krb5 library code, which makes client programs and application servers vulnerable. The MIT Kerberos 5 development team believes that exploitation of these bugs would be difficult and no known vulnerabilities are believed to exist. The vulnerability in krb524d was discovered by Marc Horowitz; the other double-free vulnerabilities were discovered by Will Fiveash and Nico Williams at Sun. Will Fiveash and Nico Williams also found another vulnerability in the ASN.1 decoder library. This makes krb5 vulnerable to a DoS (Denial of Service) attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack. The MIT Kerberos 5 team has provided patches which have been applied to the updated software to fix these issues. Mandrakesoft encourages all users to upgrade immediately.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14673
    published 2004-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14673
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2004:088)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD20041202.NASL
    description The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs : - Apache - Apache2 - AppKit - Cyrus IMAP - HIToolbox - Kerberos - Postfix - PSNormalizer - QuickTime Streaming Server - Safari - Terminal These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 15898
    published 2004-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15898
    title Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)
oval via4
  • accepted 2013-04-29T04:04:10.574-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    description Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.
    family unix
    id oval:org.mitre.oval:def:10267
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.
    version 23
  • accepted 2005-02-23T09:25:00.000-04:00
    class vulnerability
    contributors
    • name Brian Soby
      organization The MITRE Corporation
    • name Brian Soby
      organization The MITRE Corporation
    description Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.
    family unix
    id oval:org.mitre.oval:def:3322
    status accepted
    submitted 2004-10-12T12:00:00.000-04:00
    title Kerberos 5 Double-free Vulnerability in krb5_rd_cred Function
    version 31
redhat via4
advisories
rhsa
id RHSA-2004:350
refmap via4
bid 11078
bugtraq 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos)
cert TA04-247A
cert-vn VU#866472
conectiva CLA-2004:860
confirm http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt
debian DSA-543
gentoo GLSA-200409-09
trustix 2004-0045
xf kerberos-krb5rdcred-double-free(17159)
Last major update 17-10-2016 - 22:47
Published 28-09-2004 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top