ID CVE-2007-0957
Summary Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers.
References
Vulnerable Configurations
  • MIT Kerberos 5 1.6
    cpe:2.3:a:mit:kerberos:5-1.6
CVSS
Base: 9.0 (as of 09-04-2007 - 12:49)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_110060.NASL
    description SEAM 1.0.1: patch for Solaris 8. Date this patch was last updated by Sun : Jul/24/07
    last seen 2017-10-29
    modified 2013-03-30
    plugin id 23323
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23323
    title Solaris 5.8 (sparc) : 110060-22
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-3046.NASL
    description A bug in the function krb5_klog_syslog() leads to a buffer overflow which could be exploited to execute arbitrary code. (CVE-2007-0957) A double-free bug in the GSS-API library could crash kadmind. It's potentially also exploitable to execute arbitrary code. (CVE-2007-1216)
    last seen 2019-02-21
    modified 2013-03-30
    plugin id 29492
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29492
    title SuSE 10 Security Update : Kerberos 5 (ZYPP Patch Number 3046)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-3045.NASL
    description A bug in the function krb5_klog_syslog() leads to a buffer overflow which could be exploited to execute arbitrary code (CVE-2007-0957). A double-free bug in the GSS-API library could crash kadmind. It's potentially also exploitable to execute arbitrary code (CVE-2007-1216).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27308
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27308
    title openSUSE 10 Security Update : krb5 (krb5-3045)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_110061.NASL
    description SEAM 1.0.1_x86: patch for Solaris 8_x86. Date this patch was last updated by Sun : Jul/27/07
    last seen 2016-09-26
    modified 2013-03-30
    plugin id 36315
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36315
    title Solaris 5.8 (sparc) : 110061-22
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_X86_110061.NASL
    description SEAM 1.0.1_x86: patch for Solaris 8_x86. Date this patch was last updated by Sun : Jul/27/07
    last seen 2016-09-26
    modified 2013-03-30
    plugin id 23444
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23444
    title Solaris 5.8 (x86) : 110061-22
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_X86_109224.NASL
    description SunOS 5.8_x86: kpasswd, libgss.so.1 and li. Date this patch was last updated by Sun : Aug/10/07
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 18070
    published 2005-04-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18070
    title Solaris 8 (x86) : 109224-10
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_109223.NASL
    description SunOS 5.8: kpasswd, libgss.so.1 and libkad. Date this patch was last updated by Sun : Aug/03/07
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 18068
    published 2005-04-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18068
    title Solaris 8 (sparc) : 109223-10
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2007-004.NASL
    description The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2007-004 applied. This update fixes security flaws in the following applications : AFP Client AirPort CarbonCore diskdev_cmds fetchmail ftpd gnutar Help Viewer HID Family Installer Kerberos Libinfo Login Window network_cmds SMB System Configuration URLMount Video Conference WebDAV
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 25081
    published 2007-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25081
    title Mac OS X Multiple Vulnerabilities (Security Update 2007-004)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200704-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-200704-02 (MIT Kerberos 5: Arbitrary remote code execution) The Kerberos telnet daemon fails to properly handle usernames allowing unauthorized access to any account (CVE-2007-0956). The Kerberos administration daemon, the KDC and possibly other applications using the MIT Kerberos libraries are vulnerable to the following issues. The krb5_klog_syslog function from the kadm5 library fails to properly validate input leading to a stack overflow (CVE-2007-0957). The GSS-API library is vulnerable to a double-free attack (CVE-2007-1216). Impact : By exploiting the telnet vulnerability a remote attacker may obtain access with root privileges. The remaining vulnerabilities may allow an authenticated remote attacker to execute arbitrary code with root privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 24935
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24935
    title GLSA-200704-02 : MIT Kerberos 5: Arbitrary remote code execution
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0095.NASL
    description From Red Hat Security Advisory 2007:0095 : Updated krb5 packages that fix a number of issues are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues : Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67458
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67458
    title Oracle Linux 3 / 4 / 5 : krb5 (ELSA-2007-0095)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0095.NASL
    description Updated krb5 packages that fix a number of issues are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues : Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 24948
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24948
    title RHEL 2.1 / 3 / 4 / 5 : krb5 (RHSA-2007:0095)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1276.NASL
    description Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0956 It was discovered that the krb5 telnet daemon performs insufficient validation of usernames, which might allow unauthorized logins or privilege escalation. - CVE-2007-0957 iDefense discovered that a buffer overflow in the logging code of the KDC and the administration daemon might lead to arbitrary code execution. - CVE-2007-1216 It was discovered that a double free in the RPCSEC_GSS part of the GSS library code might lead to arbitrary code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25010
    published 2007-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25010
    title Debian DSA-1276-1 : krb5 - several vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-449-1.NASL
    description The krb5 telnet service did not appropriately verify user names. A remote attacker could log in as the root user by requesting a specially crafted user name. (CVE-2007-0956) The krb5 syslog library did not correctly verify the size of log messages. A remote attacker could send a specially crafted message and execute arbitrary code with root privileges. (CVE-2007-0957) The krb5 administration service was vulnerable to a double-free in the GSS RPC library. A remote attacker could send a specially crafted request and execute arbitrary code with root privileges. (CVE-2007-1216). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28046
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28046
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : krb5 vulnerabilities (USN-449-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-077.NASL
    description A vulnerability was found in the username handling of the MIT krb5 telnet daemon. A remote attacker that could access the telnet port of a target machine could login as root without requiring a password (CVE-2007-0956). Buffer overflows in the kadmin server daemon were discovered that could be exploited by a remote attacker able to access the KDC. Successful exploitation could allow for the execution of arbitrary code with the privileges of the KDC or kadmin server processes (CVE-2007-0957). Finally, a double-free flaw was discovered in the GSSAPI library used by the kadmin server daemon, which could lead to a denial of service condition or the execution of arbitrary code with the privileges of the KDC or kadmin server processes (CVE-2007-1216). Updated packages have been patched to address this issue. Update : Packages for Mandriva Linux 2007.1 are now available.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 24943
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24943
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2007:077-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0095.NASL
    description Updated krb5 packages that fix a number of issues are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues : Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 24919
    published 2007-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24919
    title CentOS 3 / 4 : krb5 (CESA-2007:0095)
oval via4
accepted 2013-04-29T04:08:25.951-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers.
family unix
id oval:org.mitre.oval:def:10757
status accepted
submitted 2010-07-09T03:56:16-04:00
title Stack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers.
version 24
packetstorm via4
data source https://packetstormsecurity.com/files/download/55828/kadmind-overflow.txt
id PACKETSTORM:55828
last seen 2016-12-05
published 2007-04-11
reporter c0ntex
source https://packetstormsecurity.com/files/55828/kadmind-overflow.txt.html
title kadmind-overflow.txt
redhat via4
advisories
rhsa
id RHSA-2007:0095
rpms
  • krb5-devel-0:1.2.7-61
  • krb5-libs-0:1.2.7-61
  • krb5-server-0:1.2.7-61
  • krb5-workstation-0:1.2.7-61
  • krb5-devel-0:1.3.4-46
  • krb5-libs-0:1.3.4-46
  • krb5-server-0:1.3.4-46
  • krb5-workstation-0:1.3.4-46
  • krb5-devel-0:1.5-23
  • krb5-libs-0:1.5-23
  • krb5-server-0:1.5-23
  • krb5-workstation-0:1.5-23
refmap via4
apple APPLE-SA-2007-04-19
bid 23285
bugtraq
  • 20070403 MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957]
  • 20070404 rPSA-2007-0063-1 krb5 krb5-server krb5-services krb5-test krb5-workstation
  • 20070405 FLEA-2007-0008-1: krb5
cert
  • TA07-093B
  • TA07-109A
cert-vn VU#704024
confirm
debian DSA-1276
gentoo GLSA-200704-02
mandriva MDKSA-2007:077
sectrack 1017849
secunia
  • 24706
  • 24735
  • 24736
  • 24740
  • 24750
  • 24757
  • 24785
  • 24786
  • 24798
  • 24817
  • 24966
  • 25464
sgi 20070401-01-P
sunalert 102930
suse SUSE-SA:2007:025
ubuntu USN-449-1
vupen
  • ADV-2007-1218
  • ADV-2007-1250
  • ADV-2007-1470
  • ADV-2007-1983
xf kerberos-krb5klogsyslog-bo(33411)
Last major update 07-03-2011 - 21:51
Published 05-04-2007 - 21:19
Last modified 16-10-2018 - 12:35
Back to Top