ID CVE-2004-1189
Summary The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.
References
Vulnerable Configurations
  • MIT Kerberos 5 1.2
    cpe:2.3:a:mit:kerberos:5-1.2
  • MIT Kerberos 5 1.3.1
    cpe:2.3:a:mit:kerberos:5-1.3.1
  • MIT Kerberos 5 1.3.5
    cpe:2.3:a:mit:kerberos:5-1.3.5
CVSS
Base: 7.2 (as of 20-06-2005 - 10:32)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-012.NASL
    description Updated Kerberos (krb5) packages that correct buffer overflow and temporary file bugs are now available for Red Hat Enterprise Linux. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1189 to this issue. Additionally a temporary file bug was found in the Kerberos krb5-send-pr program. It is possible that an attacker could create a temporary file that would allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0971 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 16221
    published 2005-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16221
    title RHEL 2.1 / 3 : krb5 (RHSA-2005:012)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-045.NASL
    description Updated Kerberos (krb5) packages that correct a buffer overflow bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1189 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17173
    published 2005-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17173
    title RHEL 4 : krb5 (RHSA-2005:045)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-58-1.NASL
    description Michael Tautschnig discovered a possible buffer overflow in the add_to_history() function in the MIT Kerberos 5 implementation. Performing a password change did not properly track the password policy's history count and the maximum number of keys. This could cause an array overflow and may have allowed authenticated users (not necessarily one with administrative privileges) to execute arbitrary code on the KDC host, compromising an entire Kerberos realm. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20676
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20676
    title Ubuntu 4.10 : krb5 vulnerability (USN-58-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200501-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-200501-05 (mit-krb5: Heap overflow in libkadm5srv) The MIT Kerberos 5 administration library libkadm5srv contains a heap overflow in the code handling password changing. Impact : Under specific circumstances an attacker could execute arbitary code with the permissions of the user running mit-krb5, which could be the root user. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 16396
    published 2005-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16396
    title GLSA-200501-05 : mit-krb5: Heap overflow in libkadm5srv
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_0BB7677D52F311D9A9E70001020EED82.NASL
    description A MIT krb5 Security Advisory reports : The MIT Kerberos 5 administration library (libkadm5srv) contains a heap buffer overflow in password history handling code which could be exploited to execute arbitrary code on a Key Distribution Center (KDC) host. The overflow occurs during a password change of a principal with a certain password history state. An administrator must have performed a certain password policy change in order to create the vulnerable state. An authenticated user, not necessarily one with administrative privileges, could execute arbitrary code on the KDC host, compromising an entire Kerberos realm.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 18834
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18834
    title FreeBSD : krb5 -- heap buffer overflow vulnerability in libkadm5srv (0bb7677d-52f3-11d9-a9e7-0001020eed82)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2005-007.NASL
    description The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied. This security update contains fixes for the following products : - Apache 2 - AppKit - Bluetooth - CoreFoundation - CUPS - Directory Services - HItoolbox - Kerberos - loginwindow - Mail - MySQL - OpenSSL - QuartzComposerScreenSaver - ping - Safari - SecurityInterface - servermgrd - servermgr_ipfilter - SquirelMail - traceroute - WebKit - WebLog Server - X11 - zlib
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 19463
    published 2005-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19463
    title Mac OS X Multiple Vulnerabilities (Security Update 2005-007)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-563.NASL
    description A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This overflow in the password history handling code could allow an authenticated remote attacker to execute commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1189 to this issue. Additionally a temporary file bug was found in the Kerberos krb5-send-pr command. It is possible that an attacker could create a specially crafted temporary file that could allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0971 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16028
    published 2004-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16028
    title Fedora Core 2 : krb5-1.3.6-1 (2004-563)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-629.NASL
    description A buffer overflow has been discovered in the MIT Kerberos 5 administration library (libkadm5srv) that could lead to the execution of arbitrary code upon exploitation by an authenticated user, not necessarily one with administrative privileges.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 16112
    published 2005-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16112
    title Debian DSA-629-1 : krb5 - buffer overflow
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-156.NASL
    description Michael Tautschnig discovered a heap buffer overflow in the history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server. The updated packages have been patched to prevent this problem.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16037
    published 2004-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16037
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2004:156)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-564.NASL
    description A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This overflow in the password history handling code could allow an authenticated remote attacker to execute commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1189 to this issue. Additionally a temporary file bug was found in the Kerberos krb5-send-pr command. It is possible that an attacker could create a specially crafted temporary file that could allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0971 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16029
    published 2004-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16029
    title Fedora Core 3 : krb5-1.3.6-2 (2004-564)
oval via4
accepted 2013-04-29T04:16:03.095-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.
family unix
id oval:org.mitre.oval:def:11911
status accepted
submitted 2010-07-09T03:56:16-04:00
title The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2005:012
  • rhsa
    id RHSA-2005:045
refmap via4
apple
  • APPLE-SA-2005-08-15
  • APPLE-SA-2005-08-17
bugtraq
  • 20041220 MITKRB5-SA-2004-004: heap overflow in libkadm5srv
  • 20050110 [USN-58-1] MIT Kerberos server vulnerability
conectiva CLA-2005:917
confirm http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
mandrake MDKSA-2004:156
trustix 2004-0069
xf kerberos-libkadm5srv-bo(18621)
Last major update 17-10-2016 - 22:52
Published 31-12-2004 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top