ID CVE-2006-3083
Summary The (1) krshd and (2) v4rcp applications in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, when running on Linux and AIX, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which allows local users to gain privileges by causing setuid to fail to drop privileges using attacks such as resource exhaustion.
References
Vulnerable Configurations
  • cpe:2.3:a:heimdal:heimdal:0.7.2
    cpe:2.3:a:heimdal:heimdal:0.7.2
  • MIT Kerberos 5 1.4
    cpe:2.3:a:mit:kerberos:5-1.4
  • MIT Kerberos 5 1.4.1
    cpe:2.3:a:mit:kerberos:5-1.4.1
  • MIT Kerberos 5 1.4.2
    cpe:2.3:a:mit:kerberos:5-1.4.2
  • MIT Kerberos 5 1.4.3
    cpe:2.3:a:mit:kerberos:5-1.4.3
  • MIT Kerberos 5 1.5
    cpe:2.3:a:mit:kerberos:5-1.5
CVSS
Base: 7.2 (as of 10-08-2006 - 08:33)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200608-21.NASL
    description The remote host is affected by the vulnerability described in GLSA-200608-21 (Heimdal: Multiple local privilege escalation vulnerabilities) The ftpd and rcp applications provided by Heimdal fail to check the return value of calls to seteuid(). Impact : A local attacker could exploit this vulnerability to execute arbitrary code with elevated privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 22283
    published 2006-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22283
    title GLSA-200608-21 : Heimdal: Multiple local privilege escalation vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0612.NASL
    description Updated krb5 packages are now available for Red Hat Enterprise Linux 4 to correct a privilege escalation security flaw. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found where some bundled Kerberos-aware applications would fail to check the result of the setuid() call. On Linux 2.6 kernels, the setuid() call can fail if certain user limits are hit. A local attacker could manipulate their environment in such a way to get the applications to continue to run as root, potentially leading to an escalation of privileges. (CVE-2006-3083). Users are advised to update to these erratum packages which contain a backported fix to correct this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 22201
    published 2006-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22201
    title RHEL 4 : krb5 (RHSA-2006:0612)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-334-1.NASL
    description Michael Calmer and Marcus Meissner discovered that several krb5 tools did not check the return values from setuid() system calls. On systems that have configured user process limits, it may be possible for an attacker to cause setuid() to fail via resource starvation. In that situation, the tools will not reduce their privilege levels, and will continue operation as the root user. By default, Ubuntu does not ship with user process limits. Please note that these packages are not officially supported by Ubuntu (they are in the 'universe' component of the archive). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27913
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27913
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : krb5 vulnerabilities (USN-334-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200608-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-200608-15 (MIT Kerberos 5: Multiple local privilege escalation vulnerabilities) Unchecked calls to setuid() in krshd and v4rcp, as well as unchecked calls to seteuid() in kftpd and in ksu, have been found in the MIT Kerberos 5 program suite and may lead to a local root privilege escalation. Impact : A local attacker could exploit this vulnerability to execute arbitrary code with elevated privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 22214
    published 2006-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22214
    title GLSA-200608-15 : MIT Kerberos 5: Multiple local privilege escalation vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-APPS-CLIENTS-1937.NASL
    description Various return checks of setuid() and seteuid() calls have been fixed in kerberos client and server applications. If these applications are setuid, it might have been possible for local attackers to gain root access (CVE-2006-3083). We are not affected by the seteuid() problems, tracked by CVE-2006-3084.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27312
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27312
    title openSUSE 10 Security Update : krb5-apps-clients (krb5-apps-clients-1937)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-139.NASL
    description A flaw was discovered in some bundled Kerberos-aware packages that would fail to check the results of the setuid() call. This call can fail in some circumstances on the Linux 2.6 kernel if certain user limits are reached, which could be abused by a local attacker to get the applications to continue to run as root, possibly leading to an elevation of privilege. Updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 23888
    published 2006-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23888
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2006:139)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1146.NASL
    description In certain application programs packaged in the MIT Kerberos 5 source distribution, calls to setuid() and seteuid() are not always checked for success and may fail with some PAM configurations. A local user could exploit one of these vulnerabilities to result in privilege escalation. No exploit code is known to exist at this time.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22688
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22688
    title Debian DSA-1146-1 : krb5 - programming error
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-APPS-SERVERS-1938.NASL
    description Various return checks of setuid() and seteuid() calls have been fixed in kerberos client and server applications. If these applications are setuid, it might have been possible for local attackers to gain root access. (CVE-2006-3083) We are not affected by the seteuid() problems, tracked by CVE-2006-3084.
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29496
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29496
    title SuSE 10 Security Update : krb5-apps-servers and krb5-apps-clients (ZYPP Patch Number 1938)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0612.NASL
    description Updated krb5 packages are now available for Red Hat Enterprise Linux 4 to correct a privilege escalation security flaw. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found where some bundled Kerberos-aware applications would fail to check the result of the setuid() call. On Linux 2.6 kernels, the setuid() call can fail if certain user limits are hit. A local attacker could manipulate their environment in such a way to get the applications to continue to run as root, potentially leading to an escalation of privileges. (CVE-2006-3083). Users are advised to update to these erratum packages which contain a backported fix to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22197
    published 2006-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22197
    title CentOS 4 : krb5 (CESA-2006:0612)
oval via4
accepted 2013-04-29T04:19:56.329-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description The (1) krshd and (2) v4rcp applications in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, when running on Linux and AIX, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which allows local users to gain privileges by causing setuid to fail to drop privileges using attacks such as resource exhaustion.
family unix
id oval:org.mitre.oval:def:9515
status accepted
submitted 2010-07-09T03:56:16-04:00
title The (1) krshd and (2) v4rcp applications in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, when running on Linux and AIX, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which allows local users to gain privileges by causing setuid to fail to drop privileges using attacks such as resource exhaustion.
version 23
redhat via4
advisories
bugzilla
id 197818
title CVE-2006-3083 krb5 multiple unsafe setuid usage
oval
AND
comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304001
rhsa
id RHSA-2006:0612
released 2006-08-08
severity Important
title RHSA-2006:0612: krb5 security update (Important)
refmap via4
bid 19427
bugtraq
  • 20060808 MITKRB-SA-2006-001: multiple local privilege escalation vulnerabilities
  • 20060816 UPDATED: MITKRB5-SA-2006-001: multiple local privilege escalation vulnerabilities
cert-vn VU#580124
confirm
debian DSA-1146
gentoo
  • GLSA-200608-15
  • GLSA-200608-21
mandriva MDKSA-2006:139
osvdb
  • 27869
  • 27870
sectrack 1016664
secunia
  • 21402
  • 21423
  • 21436
  • 21439
  • 21441
  • 21456
  • 21461
  • 21467
  • 21527
  • 21613
  • 21847
  • 22291
suse
  • SUSE-SR:2006:020
  • SUSE-SR:2006:022
ubuntu USN-334-1
vupen ADV-2006-3225
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 18-07-2011 - 00:00
Published 09-08-2006 - 06:04
Last modified 18-10-2018 - 12:45
Back to Top