CVE-2007-2798 - Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3

CVE-2007-2798

Summary

Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.

References

Vulnerable Configurations

cpe:2.3:a:mit:kerberos_5:-:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:-:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:-:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:-:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:patch_level1:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:patch_level1:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:patch_level2:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:patch_level2:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:patch_level3:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0:patch_level3:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0.6:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0.7:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.0.7:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2:-:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2:-:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2:beta1:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2:beta1:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2:beta2:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2:beta2:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.8:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.2.8:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3:-:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3:-:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3:alpha1:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3:alpha1:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.5:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.5:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.5.4:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.6:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.6:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:mit:kerberos_5:1.6.1:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:6.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:6.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:3.1:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:3.1:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*

CVSS

Base:	9.0 (as of 02-02-2021 - 18:32)
Impact:
Exploitability:

CWE

CWE-787

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:S/C:C/I:C/A:C

oval via4

accepted

2007-11-16T08:14:19.297-05:00

class

vulnerability

contributors

name Nicholas Hansen
organization Opsware, Inc.
name Nicholas Hansen
organization Opsware, Inc.

definition_extensions

comment Solaris 8 (SPARC) is installed
oval oval:org.mitre.oval:def:1539
comment Solaris 8 (x86) is installed
oval oval:org.mitre.oval:def:2059
comment Solaris 9 (SPARC) is installed
oval oval:org.mitre.oval:def:1457
comment Solaris 9 (x86) is installed
oval oval:org.mitre.oval:def:1683
comment Solaris 10 (SPARC) is installed
oval oval:org.mitre.oval:def:1440
comment Solaris 10 (x86) is installed
oval oval:org.mitre.oval:def:1926

description

family

unix

oval:org.mitre.oval:def:1726

status

accepted

submitted

2007-06-28T09:00:00.000-04:00

title

Security Vulnerability in the Kerberos Administration Daemon (kadmind(1M)) May Lead to Arbitrary Code Execution

version

accepted

2015-04-20T04:02:34.917-04:00

class

vulnerability

contributors

name Chandan M C
organization Hewlett-Packard
name Sushant Kumar Singh
organization Hewlett-Packard
name Sushant Kumar Singh
organization Hewlett-Packard
name Prashant Kumar
organization Hewlett-Packard
name Mike Cokus
organization The MITRE Corporation

description

family

unix

oval:org.mitre.oval:def:7550

status

accepted

submitted

2010-10-25T11:35:23.000-05:00

title

HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code

version

accepted

2013-04-29T04:24:00.367-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 3
oval oval:org.mitre.oval:def:11782
comment CentOS Linux 3.x
oval oval:org.mitre.oval:def:16651
comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:9996

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

redhat via4

advisories

bugzilla

id	245549
title	CVE-2007-2798 krb5 kadmind buffer overflow

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment krb5-devel is earlier than 0:1.3.4-49
oval oval:com.redhat.rhsa:tst:20070562001
comment krb5-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060612002
AND
comment krb5-libs is earlier than 0:1.3.4-49
oval oval:com.redhat.rhsa:tst:20070562003
comment krb5-libs is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060612004
AND
comment krb5-server is earlier than 0:1.3.4-49
oval oval:com.redhat.rhsa:tst:20070562005
comment krb5-server is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060612006
AND
comment krb5-workstation is earlier than 0:1.3.4-49
oval oval:com.redhat.rhsa:tst:20070562007
comment krb5-workstation is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20060612008

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment krb5-devel is earlier than 0:1.5-26
oval oval:com.redhat.rhsa:tst:20070562010
comment krb5-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070095011
AND
comment krb5-libs is earlier than 0:1.5-26
oval oval:com.redhat.rhsa:tst:20070562012
comment krb5-libs is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070095013
AND
comment krb5-server is earlier than 0:1.5-26
oval oval:com.redhat.rhsa:tst:20070562014
comment krb5-server is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070095015
AND
comment krb5-workstation is earlier than 0:1.5-26
oval oval:com.redhat.rhsa:tst:20070562016
comment krb5-workstation is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070095017

rhsa

id	RHSA-2007:0562
released	2007-06-26
severity	Important
title	RHSA-2007:0562: krb5 security update (Important)

rhsa
id RHSA-2007:0384

rpms

krb5-debuginfo-0:1.2.7-66
krb5-devel-0:1.2.2-47
krb5-devel-0:1.2.7-66
krb5-libs-0:1.2.2-47
krb5-libs-0:1.2.7-66
krb5-server-0:1.2.2-47
krb5-server-0:1.2.7-66
krb5-workstation-0:1.2.2-47
krb5-workstation-0:1.2.7-66
krb5-debuginfo-0:1.3.4-49
krb5-debuginfo-0:1.5-26
krb5-devel-0:1.3.4-49
krb5-devel-0:1.5-26
krb5-libs-0:1.3.4-49
krb5-libs-0:1.5-26
krb5-server-0:1.3.4-49
krb5-server-0:1.5-26
krb5-workstation-0:1.3.4-49
krb5-workstation-0:1.5-26

refmap via4

apple	APPLE-SA-2007-07-31
bid	24653 25159
bugtraq	20070626 MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow 20070628 FLEA-2007-0029-1: krb5 krb5-workstation 20070629 TSLSA-2007-0021 - kerberos5
cert	TA07-177A
cert-vn	VU#554257
confirm	http://docs.info.apple.com/article.html?artnum=306172 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt https://issues.rpath.com/browse/RPL-1499 https://secure-support.novell.com/KanisaPlatform/Publishing/327/3675615_f.SAL_Public.html
debian	DSA-1323
fulldisc	20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player
gentoo	GLSA-200707-11
hp	HPSBUX02544 SSRT100107
idefense	20070626 Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability
mandriva	MDKSA-2007:137
osvdb	36595
sectrack	1018295
secunia	25800 25801 25814 25821 25870 25875 25888 25890 25894 25911 26033 26228 26235 26909 27706 40346
sgi	20070602-01-P
sunalert	102985
suse	SUSE-SA:2007:038
trustix	2007-0021
ubuntu	USN-477-1
vupen	ADV-2007-2337 ADV-2007-2370 ADV-2007-2491 ADV-2007-2732 ADV-2007-3229 ADV-2010-1574
xf	kerberos-renameprincipal2svc-bo(35080)

Last major update

02-02-2021 - 18:32

Published

26-06-2007 - 22:30

Last modified

02-02-2021 - 18:32