Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Critical Kerberos Flaw Revealed 200

doi writes "ZD Net is carrying a story about '...a critical flaw that could allow hackers to circumvent the secure networking system...The problem lies with software in MIT Kerberos 5 called kadmind4 (Kerberos v4 compatibility administration daemon), which allows compatibility with older administrative clients. A buffer stack overflow allows an attacker to use a specially formed request to gain access to the KDC with the privileges of a user running kadmind4.' It affects all MIT-derived versions of Kerberos 4 and 5."
This discussion has been archived. No new comments can be posted.

Critical Kerberos Flaw Revealed

Comments Filter:
  • A distinction... (Score:5, Insightful)

    by Xenographic ( 557057 ) on Thursday October 24, 2002 @11:05PM (#4527359) Journal
    For a minute, I almost wondered if the actual cryptosystem had been broken, but then I realized that this is only the implementation of it. There's a *big* difference...

    Fortunately, all we have to do is download a patch, which is much better than having to find something other than Diffie-Hellman key exchange... :]
    • by dirvish ( 574948 ) <dirvish&foundnews,com> on Thursday October 24, 2002 @11:12PM (#4527400) Homepage Journal
      Unfortunately, most sys admins will be oblivious to the problem and will not patch anything.
    • by delta407 ( 518868 ) <(slashdot) (at) (lerfjhax.com)> on Thursday October 24, 2002 @11:31PM (#4527472) Homepage
      For a minute, I almost wondered if the actual cryptosystem had been broken
      My pulse actually shot up when I read the headline!

      Breathe... breathe... it's just a buffer overflow... ...I'll be okay, just give me a few minutes.
    • by dido ( 9125 ) <dido@imperiuUUUm.ph minus threevowels> on Friday October 25, 2002 @12:15AM (#4527631)

      Just a slight nitpick, but AFAIK, Kerberos never used any public key cryptography at all, Diffie-Hellman or otherwise. They use the Needham-Schroeder key exchange protocol which only requires symmetric key cryptography.

      • You're right, Kerberos is based on Needham-Schroeder key exchange (see http://www.upenn.edu/computing/pennkey/docs/kerbpr es/siframes.htm), but you might want to double-check that nitpick...

        Diffie-Hellman Key Exchange for Kerberos V5

        Abstract

        The Kerberos protocol [RFC1510] currently establishes session keys by the assertion of one party (usually the KDC). This document describes a method for using the Diffie-Hellman algorithm to establish the shared secret between a Kerberos client and application service. For the purposes of this document, the Ticket Granting Service is considered an application service.

        [excerpted from --
        http://www.ietf.org/proceedings/99mar/I-D/draf t-ie tf-cat-kerb-dh-key-exchange-00.txt ]
    • No kidding. "Critical Kerberos Flaw Revealed" is not exactly an appropriate headline for a fscking buffer overflow. Getting a bit sensational now, aren't we?

      It's not a flaw in Kerberos, it's a bug in kadmind4.
      • "Critical Kerberos Flaw Revealed" is not exactly an appropriate headline for a fscking buffer overflow. Getting a bit sensational now, aren't we?

        Hey, it worked - at least, it sure got me to read the blurb in a hurry. (While hyperventilating, but whatever.) Maybe they did it on purpose. At least the panic attack only lasted a couple sentences. If they'd made me actually read the article to find this out....

  • by norwoodites ( 226775 ) <pinskia@BOHRgmail.com minus physicist> on Thursday October 24, 2002 @11:06PM (#4527364) Journal
    That means it does not hurt the opensource version of Kerberos V, heimdal because it does not support Kerberos IV which is supported by KTH.
    • That is exactly what I was going to say.
    • by KevinM ( 45416 ) on Thursday October 24, 2002 @11:35PM (#4527489)
      Assuming your heimdal is built without kerberos4 compatibility. See: http://www.pdc.kth.se/heimdal/

      Also, note that the vulnerability is not just theoretical.
    • "That means it does not hurt the opensource version of Kerberos V,
      heimdal because it does not support Kerberos IV which is supported by KTH.
      Really about time to get a Mac."

      Both the MIT and KTH implementations of Kerberos are open source.
      The version that ships with MacOS is MIT Kerberos.
      • The MIT one is not opensourced because you cannot export it, there is some control on it.
        • The GPL does allow for export restrictions. So export restrictions due to legal advice on US law, IMO, does not preclude something from being open source.

          I know people will disagree. But, then it would have been extremely hard to have open source cryptography until recently....
        • The only export restriction is this:

          Export of software employing encryption from the United States of
          America may require a specific license from the United States
          Government. It is the responsibility of any person or organization
          contemplating export to obtain such a license before exporting.
    • I guess when you weren't looking (a day before the MIT patch was issued) OpenBSD posted this patch [openbsd.org] to kadmind.

      Obsd uses Heimdal, and seemingly the krb4 compatiblity is built into the kadmind daemon. Only MIT-based sites running the kadmind4 daemon are affected, while seemingly all heimdal KDC's running kadmind were. In any case the code flaw in both cases has a similar patch / fix.

  • Will nefarious hackers now be able track them throughout the world?
  • Old news (Score:2, Informative)

    by Anonymous Coward
    This has been known for awhile. The OpenBSD errata contained a patch fixing the flaw in the 3.0 and 3.1 releases three days ago.
  • by 6169 ( 318124 ) on Thursday October 24, 2002 @11:12PM (#4527397)
    Though this seems to be an increasing trend, do we really need to see bug reports like this on Slashdot, even if they are security related? I can understand if the actual protocol was flawed, but this is just a bug in the admin daemon. If I wanted bug and patch information, I would go to bugtraq, or the OpenBSD security list, both of which covered this days ago.
    • by carpe_noctem ( 457178 ) on Thursday October 24, 2002 @11:37PM (#4527498) Homepage Journal
      I completely agree. I say that people wait until the respective worm comes out for the said vulnerability, then post an article about that, where hundreds of /. comments will mock stupid people for not patching their systems. =)
    • by Anonymous Coward on Friday October 25, 2002 @12:11AM (#4527620)
      If you don't like the article, then skip it. Stop posting shit like this, thereby increasing the signal to noise ratio. No one ever claimed that every slashdot article is going to interest everyone. This one is aimed at the more technical crowd, and gives people a chance to talk about kerberos.

      -- gid0ze
    • by fortinbras47 ( 457756 ) on Friday October 25, 2002 @12:27AM (#4527669)
      Bugs in critical authetication and login systems, (eg. Kerberos, ssh, etc...) fall into a category critical enough to warrant a ./ story.

      If we're going to have articles on what dangerous server rooms look like, we can have an article on how if you don't patch that KDC server fast, tens of thousands of user accounts might be compromised. Kerberos is at the HEART of many large multi-user distributed systems. (Universities, hospitals...) A critical flaw possibly compromising hundreds of thousands of accounts worldwide is a big story.

    • Not everybody uses Kerberos, but this is one of the most important implementations, and makes it possible for a cracker to give himself permissions on all your machines. Basically, you'd better move your zig [ferzkopp.net] and fix this. It's especially likely to be used at universities, which turn into big zombie farms if kerberos gets cracked.


      By the way, this interacts with the Quantum Computing discussion threads, because if it's possible to factor big numbers, public-key crypto no longer works, so the fallback for authentication is to use symmetric-key systems like kerberos.

  • Why worry about it? They already have a patch so I don't think it's a big deal. If your a administrator who doesn't keep up with bugtraq or other mailing lists then your just asking for trouble. Just hope no one already exploited this hole on your system :)
  • And I had faith in MIT since they taught Time Cube [timecube.com]..
  • by chickenmonger ( 614989 ) on Thursday October 24, 2002 @11:14PM (#4527411) Journal
    As a user on a network that uses Kerberos authentication, it's good to know about these security flaws. That way, we can email the admin to find out if we should unplug our CAT5. :-)
  • by Anonymous Coward on Thursday October 24, 2002 @11:15PM (#4527416)
    ..on stories like this is if you'd just put some short thing telling how to determine if you are affected by the security hole.

    like, just say "if you type /sbin/sshd --version and it says your version is 2.23 or lower, you're affected".

    A lot of the time it's kind of hard to remember which version exactly you have, and much UNIX software offers no quick, clear way to tell what version you have installed. Hell, i don't even know if i have kerberos. I know i've never consiously used kerberos. But for all i know my linux distribution installed kerberos as part of another package. Now i, and a bunch of other people, are going to be poking around manpages and wierd directories for awhile trying to figure out, uhh, do we have kerberos, what version/brand, do we need to disable or patch anything.. this is not the hardest thing in the world, but it isn't exactly easy when you consider it's 11:12 PM and at my college, we start drinking on thursday night. I'm not exactly in the mood to think logically at this exact moment.

    So, a quick 'heads up, here's the quick way to tell if you're affected' on the part of the slashdotty people at the end of these story blurbs would be much appreciated :)
    • Suck it up man. I just got home from dirning. I couldn't draw a straight line if you paid me but i'm still readin slastdot
      party on woo!
    • Hell, i don't even know if i have kerberos.

      Then you're not affected.

      This is a bug in the Kerberos admin daemon, which only runs on KDCs, which are centralized Kerberos servers. Clients are not affected. Furthermore, it only affects KDCs that have enabled version 4 backwards-compatibility.

      If you don't know what Kerberos is, you don't have to patch your system. Only people that run KDCs have to patch their systems. I've never seen Kerberos installed with less than a few thousand users, so you would probably know if you're the admin of a KDC.

      • Yes, that's the kind of information he was asking for. And he's quite right:
        Every article on a security flaw should include a quick test on how to determine whether or not you are affected.

        If I had mod points right now, he would have gone up. I would probably even have experimented to see if I could mod the same comment more than once. He should be at "+6 insightful: Editors please note!"

    • "A lot of the time it's kind of hard to remember which version exactly you have, and much UNIX software offers no quick, clear way to tell what version you have installed."

      If you're running an RPM based system, "rpm -qa | grep kerb" is a quick way to determine if you've installed Kerberos. This works for any other RPM you've installed.
  • by The Rolling Blackout ( 556170 ) on Thursday October 24, 2002 @11:16PM (#4527417)
    Doesn't this illustrate a backwards compatibility problem with secure systems everywhere? As such, buffer overflows that affected any previous system could conceivably affect any & all backwards-compatible systems made after the fact, should such software be afforded the necessary privileges (esp. remote management tools).

    (I'm not posting this in an attempt to prove I know anything, I just think a clearly worded reply might benefit a few folks, e.g. me)

    • nah (Score:5, Informative)

      by Anonymous Coward on Thursday October 24, 2002 @11:46PM (#4527534)
      Buffer overflows are wholly in implementation, never in specification.

      I mean, they exist only within the program that they effect. All that a buffer overflow is is that someone was writing a program, and they put in some place that they read a value from one place and put it in another-- say, they have a web server, and they recieve some data from the client requesting a web page. And let's say that when they accept this data, they're going to put it into a little memory space that can hold 2000 bytes. A buffer overflow would be what would happen if the web client sent more than 2000 bytes of data, maybe 3000 bytes, and the program stupidly attempted to fit all 3000 bytes into that 2000 byte space. What you get is a buffer overflow; quite literally, that 2000-byte buffer "overflows", spilling an extra 1000 bytes of data into memory. The problem is that those 1000 bytes of memory it overwrites could quite possibly contain very important things. So if you exploit a buffer overflow by accident, say by sending a server more information than it can handle, you'll probably get a crash. But if you know a bit about the way that the program with the buffer overflow bug works, you can do some kind of clever things-- for example, you could send 3000 bytes, but very carefully sculpt those last 1000 bytes so that the program keeps running, doesn't crash, but suddenly has a bunch of your information in its memory. Do this right (hulk smash stack! smash!), and you can
      literally send a very small program into the memory of the server and trick the server into running this program.

      Now, this is a programming error; you can't build a buffer overflow into a protocol. Why? Because it's just a programming error. In our example above, the programmer of the web server made the mistake of not taking steps to prevent a buffer overflow. And preventing a buffer overflow is *easy*; you just make sure that whenever you copy data from one place to another, that you never put into a single memory space more data than it can hold. Like, you're writing that web server, and you have a network socket through which the client is sending you a request? Use fgets(SOCKET, space, 2000); instead of gets(SOCKET, space); (i think that's the right syntax). fgets() is a special version of gets(), with the special condition that you can give it a number of bytes and say "if the data coming in from this filehandle is more than this number of bytes, i don't want you to give me the rest". So fgets() will just read in 2000 characters and then stop, preventing a buffer overflow. It's that simple, you just carefully pick the ways in which you copy memory. the problem is that C is hard and people are lazy and people keep doing things like using gets() and lazily coding their fscanf() statements.

      Now, there is one sort-of-exception to my "you can't code a buffer overflow into a protocol" rule: AOL actually did! That is to say, at one point AOL was trying to figure out how to lock Jabber and MSN users out of using the OSCAR protocol to access AOL instant messenger. (Third party clients are supposed to use TOC instead.) So AOL looked at their program and realized, hey, we accidentally put this buffer overflow in this one place in our AIM client, and neither MSN or jabber have that overflow. So (and they may have undone this change since then, i don't know, it was a wierd month) they changed the OSCAR protocol to the point where you literally can't connect to AOL instant messenger without that buffer overflow there! Becuase the OSCAR server would buffer-overflow-attack the AIM client, and send it code where, if the overflow was successful, the AIM client would send back a specific packet. If the OSCAR server didn't get this packet, it would disconnect you. Creepy, huh? Now, this wasn't very unsafe, becuase the way that the client was set up the only way that the buffer overflow could be exploited was by data recieved from AOL's computers.. but, then, it was also pretty stupid, becuase the buffer overflow was still exploitable by someone doing a man-in-the-middle attack and impersonating AOL's servers!

      But, uh, yeah, that story doesn't have anything to do with backward-compatibility. kerberos didn't have to have the buffer overflow to bebackward compatible, that just isn't the way protocols work. i am guessing the overflow cropped up in backward-compatibility code because one, backward-compatibility code is usually really, really nasty and hard to debug, and two, it's possible that the backward-compatibility code in v5 could have been largely copied out of v4, and the code with the buffer overflow copied along with it.

      That answer your question any?

      Yeah. You see? you see all this typing above?? this is the extents i will go to to find some distraction so that i don't actually have to do my homework. God, remind me never to go to grad school, i'd never get my thesis even started.

      --super ugly ultraman
      • Re:nah (Score:4, Funny)

        by Anonymous DWord ( 466154 ) on Friday October 25, 2002 @12:08AM (#4527600) Homepage
        If you did your thesis on buffer overflows, you'd be halfway done already.
      • There is something else that I would like to know. Since a buffer overflow attack overwrites with data memory addresses filled with instructions, why not designing an operative system that isolates the executable memory from the data memory?

        Make it with two levels of access; there should be memory that can be writen to by the programmer and memory that can hold executable instructions, and keep them shielded from each other at the OS level.

        I'm not an OS designer; what complications would this carry? Would it protect from the current exploits?
        • Re:nah (Score:5, Informative)

          by psamuels ( 64397 ) on Friday October 25, 2002 @12:35AM (#4527688) Homepage
          There is something else that I would like to know. Since a buffer overflow attack overwrites with data memory addresses filled with instructions, why not designing an operative system that isolates the executable memory from the data memory?

          This is theoretically a good idea - and in fact it has been done as a Linux patch, more than once. Google for "solar designer" linux non-executable stack. There are a couple of problems:

          • Some code needs to be able to write a stream of instructions that it will then jump to. This is called a "trampoline" and can accomplish tricks which are otherwise difficult to do within the confines of a compiled language. I think GCC emits trampolines for certain C++ constructs on certain architectures, but I seem to remember there was some noise made awhile back about migrating to other methods so as to work with non-exec stacks.

            Just-in-time (JIT) compilers for languages such as LISP and Java have to be able to write executable code at runtime, though it's not really called a trampoline in that case.

          • It is possible to exploit a buffer overflow without actually executing code directly. Hard to explain, but the gist is that you overwrite bits of the stack which represent the function return address, so that the function "returns" to somewhere other than where it came from - say for example into the C library's system() function. Craft the rest of your overflow properly and you can dictate the arguments to said function - say system("/bin/sh").

            I believe it has been demonstrated that any buffer overflow which can be exploited to execute code directly can also be exploited to execute code via the indirect method outlined above. At least on certain architectures. RTFG.

            So, if Linus (for example) were to incorporate Solar Designer's non-exec stack patch into the Linux kernel, the exploit writers of the world would spend a week or so re-learning how to build buffer exploits to use nonexecutable means.

          This is the main reason people oppose the non-executable stack patches. If widely used, we would in the long run be no better off than before. The added complexity in the Linux kernel would buy nothing. Naturally, those who have to battle kernel complexity generally oppose it. But - note that as long as only a few people use Solar's patch, they are better off, because the exploit writers do not focus on them. (Same reason there are more viruses for Windows than for MacOS 9, which had little significant virus resistance.)

          Ahem. I also feel compelled to mention (since someone else will if I don't) that in combination with other techniques, such as relinking libraries with random load addresses on each machine, the non-exec stack patch may actually be effective. I am nowhere near enough of an expert to say for sure. (Jakub Jelinek's ELF prelinker sounds rather interesting in that context....) Also, architectures (like the HP PA-RISC) whose stacks grow upward instead of downward are probably resistant to most common buffer overflow techniques, but again I don't have the skillz to say whether such techniques could be adapted.

        • Almost all OS's do that but for another reason entirely -- if you know what memory is code and what memory is data then when you need to start clearing memory by writing it to the pagefile, you can just throw away the executable data and re-read it from the binary if its needed. This is why you can't modify/move an EXE (to borrow a windows term) while it is running.

          When you make a function call, the last thing that goes on the stack (think of the stack as scratch space for a running program) should be the address to return to after that function is done ... so you overwrite *that* address to execute additional instructions you've placed on the stack.

          The fix is to design the CPU so it refuses to run code in an area designated as stack space, pretty much what you've said but most CPU's differentiate between code and data only (because code has different cacheing rules then data). I'm pretty sure sun/sparcs can keep track of stack space as well if you supply some weird option in the bios. I would imagine other cpus are capable of this as well.

          • Re:nah (Score:4, Informative)

            by davidstrauss ( 544062 ) <david@UUUdavidst ... inus threevowels> on Friday October 25, 2002 @12:44AM (#4527715)
            The fix is to design the CPU so it refuses to run code in an area designated as stack space...

            Not to say the argument isn't entirely valid, but Microsoft uses this as an argument for Pallidium and "trusted" code. Be cafeful about asking for restrictions on how code can run on a user's computer.

            • Re:nah (Score:3, Insightful)

              hehe your activism is poorly used here. Memory protection is a critical OS concept and has been built into every intel cpu since the 386. The only mechanism needed to keep the CPU from running code on the stack is a list of stack areas :) The same concept keeps programs from accessing other programs memory space in modern OS's (linux, NT/XP, BSD etc). The problem is it protects a program from being overwritten by other programs, not itself :D
          • The fix is to design the CPU so it refuses to run code in an area designated as stack space

            Modern CPUs do this. You can specify whether certain pages are executable or not, so you just set a couple of different bits in page table entries for pages allocated for stack to make the stack non-executable. The kernel will always know what pages are allocated for a program's stack because the kernel allocates the initial stack and sets the stack pointer, and the way a program's stack grows is by accessing an address lower than what is available, which generates a page fault, which in turn lets the kernel know that the program needs more stack space. Somewhere in the kernel there's some heuristic for determining whether or not a page fault is due to the stack growing. (eg, what happens if you just access memory right in between the stack and top of heap? Try it on your favorite Unix, then try incrementing that address until it no longer segfaults.)

            The short of it is that modern CPUs do not require any additional hardware support to make the stack non-executable.

            I'm pretty sure sun/sparcs can keep track of stack space as well if you supply some weird option in the bios

            Sparcs don't have a BIOS. It's called Open Firmware, and it's completely different from a PC BIOS (for one thing, Open Firmware implements a real programming language in ROM).

        • Re:nah (Score:2, Informative)

          by kiolbasa ( 122675 )

          Since a buffer overflow attack overwrites with data memory addresses filled with instructions, why not designing an operative system that isolates the executable memory from the data memory?

          The x86 is what we call a Von Neumann (maybe not spelled that way) architecture machine, meaning memory is memory and you can put whatever you want there. A Harvard architecure machine separates program and data memory. There are tradeoffs and advantages to each architecture.

          The operating system you suggest running on a Von Neumann machine would essentially emulate a Harvard machine on hardware not designed to do that. To avoid buffer overflows, just use a Harvard machine with an OS designed for it. But you lose the advantages of a Von Neumann machine, like self-modifying code, simpler executable formats, simpler memory management.

          In simple terms, all your questions could be answered with "It's a hardware thing."

      • Buffer overflows are wholly in implementation, never in specification... Now, there is one sort-of-exception to my "you can't code a buffer overflow into a protocol" rule: AOL actually did!

        You just gave me an idea-- Secure Client Authentication Protocol. Will file for RFC status on April 1, 2003!

  • Critical Flaw?? (Score:4, Insightful)

    by Anonymous Coward on Thursday October 24, 2002 @11:16PM (#4527419)
    Whoa, reading this title I thought maybe it was an actual flaw in the protocol! But it's just a buffer overflow. At least ZDNet put "critical" in quotes.

    So all I have to do is update the software and I'm good to go. Just like any other buffer overflow.

    Actually I don't use Kerberos at all, so it really doesn't matter. But the title really caught my attention..
    • So all I have to do is update the software and I'm good to go. Just like any other buffer overflow.

      When are we going to switch to languages that don't have buffer overflow problems? Solutions have been around for years. It stuns me that buffer overflow is still an avenue of attack.
    • Yeah, I read it as a flaw in the protocol too, which really suprised me as I did a presentation on kerberos for a grad level netowkring class, so for a breif time at least I completely understood it, and couldn't imagine how it could be flawed.

      M@
  • is this for real (Score:5, Insightful)

    by carpe_noctem ( 457178 ) on Thursday October 24, 2002 @11:21PM (#4527434) Homepage Journal
    Hrm....I haven't noticed anything about this on Bugtraq or Full-Disclosure, and you'd think that something this big would be all over those lists about two or three days before it got posted here. I'll believe this when I see a proof-of-concept.
  • by the_other_one ( 178565 ) on Thursday October 24, 2002 @11:30PM (#4527469) Homepage

    Is this just a warning of a potential hole.

    Or has somebody actually made an exploit.

    Does anybody know of a warez site from which I can get the security patch for free.

  • by carpe_noctem ( 457178 ) on Thursday October 24, 2002 @11:34PM (#4527485) Homepage Journal
    Well, Microsoft is currently working on their own implementation of Kerberos, Microsoft Kerberos [microsoft.com]. I've seen about a half-dozen root exploits for MIT kerberos, but none yet for MS kerb. I guess this is really a first for the boys in blue. ;]
    • Actually, this [mit.edu] security advisory (from the list [mit.edu]) states that "Serious buffer overruns exist in krb4 compatibility code." It's not dated, but from reading it, it must be from at least six patches ago.

      In other words, this latest advisory is the *first* specific bug of this type found since the problem was first discovered (and numerous other bugs of this type have presumably been fixed by now).

      I think it's safe to assume that it won't be the last, so if you really want to be secure, take the original advisory to heart and avoid krb4 compatibility code.
    • MSFT doesn't provide any of the krb4 implementation so this and other krb4 problems won't be an issue.

      Krb5 was recently found to have a flaw in the xdr_array function, the last kerberos bug I know of before that was the kerberized telnet daemon -- same bug that was in standard telnetd, the 'ayt' sequence I think. Again, no telnet, no flaw.

      Those are the only two flaws I can think of in krb5 in the past 3 years, but yes there were more in the krb4 implementation.

  • Nawww.... (Score:4, Funny)

    by WetCat ( 558132 ) on Thursday October 24, 2002 @11:41PM (#4527519)
    Stack overflow, stack overflow... Better create an architecture and/or compiler where is NO stack at all! Be much more secure then.

    ---
    How is everybody spent todays' slashdot meetup?
    • Re:Nawww.... (Score:2, Interesting)

      by octogen ( 540500 )
      I'd recommend having a separate data stacks and address stacks, or some kind of hardware-supported pointer protection (for example, IBM's AS/400s have hardware pointer protection for certain kinds of pointers, therefore you can't fake these pointers by overwriting them with data)
    • Re:Nawww.... (Score:5, Informative)

      by nelsonen ( 126144 ) on Friday October 25, 2002 @12:20AM (#4527646)
      It's called Burroughs/Unisys MCP Stack Architecture. :-) Been around since the mid 60s. Bounds checking down to the array level, hardware enforced, with hardware enforced data/code seperation.

      http://public.support.unisys.com/aseries/docs/ha rd ware/70205547-001.pdf is the current architecture document.
  • patch available (Score:5, Informative)

    by fat32 ( 620360 ) on Thursday October 24, 2002 @11:41PM (#4527520)
    The patch is available here [ciac.org].
  • by Benley ( 102665 ) on Thursday October 24, 2002 @11:43PM (#4527530) Journal

    So basically, all you have to do to avoid the vulnerability is just not run kadmind4, correct? I certainly can't speak for other KDC admins, but I haven't had much of a use for krb4 compatibility for a long time now - I disabled it at LEAST a year ago. Are there still many systems and/or applications that don't support Kerberos5? In any event, yay for me, my KDCs are unaffected!

    • Kudos to you for disabling unused services, but just because something is disabled doesn't necessarily mean you don't need to patch it. Suppose it does need to be enabled, perhaps a year from now, for some temporary purpose, and this vulnerability doesn't cross your mind at the time. Or maybe you won't even be there, and your replacement finds some reason to re-enable it. Whatever the case, finding a reason to not patch it is not a good practice in my mind.

      You may sleep easier tonight than some other people, and you may not be racing to log in and patch it like some other admins are, but come the morning you probably should be planning on patching it. But I'm sure that's already on your schedule. :) Of course, if it's not even installed in the first place, then I guess you don't have to worry about it in the first place.
      • On my network we have a process for this--

        1-- all unusdes services are disabled
        2-- Of course acive services are always patched.
        NOTE-- we do not assume that backwards-compatible components to be necessarily patched unless active and maintained by IT.

        3-- If we need a backwards compatible patch, we usually upgrade the entire package (testing first, naturally).

        4: We keep a database of all vulnerabilities found about our software and how they were resolved. This enables us to query what vulnerabilities are found on inactive services and what computers could be affected.

        Look-- the point is plan. There are many ways of doing things, but the point is to have a plan and be thinking about things. Security is more a way of live than a set of precautions.
  • Imagine being a sysadmin at MIT, having to replace/patch versions of Kerberos on every single computer... Ouch! Send that Mountain Dew in!
    (Yes, I'm aware that they probably have lots of undergrads helping. Still, the concept is quite large.)
    • Re:Oh No... (Score:2, Informative)

      umm... this flaw affects the server, not the client, so they would only have to patch the few server machines...
      but even if there was a security patch that needed to be applied to all public workstations, there is an automatic update deployment procedure... so no, sysadmins wouldn't ever have to go from computer to computer, replacing software...
  • If only... (Score:4, Funny)

    by Chester K ( 145560 ) on Friday October 25, 2002 @12:00AM (#4527577) Homepage
    If only we were all using Windows this could have been avoided. :(
    • So it was version 5 of Kerberos that MS ripped off?

      (Yah, I know it was legal. So was bastardizing the protocol. But it was still quite impolite.)

  • by Gregg Alan ( 8487 ) on Friday October 25, 2002 @12:15AM (#4527632)
    It doesn't matter what you do...some part of your security solution is going be broken by some hackers at some point. Get used to it, deal with it.

    Me, I spend the money my boss gives me for security on beer and better video cards for my office mates that like unreal tournament.

    Oh, I should also mention that in addition to not providing any type of network secuity you must also not supply any type of network monitoring. Can you imagine...you're two frags from godlike and some system monitor (that you don't understand anyway) starts paging your beeper like a crazy x-girlfriend.

    You might just lose concentration.
  • Why this is big.... (Score:5, Informative)

    by fortinbras47 ( 457756 ) on Friday October 25, 2002 @12:17AM (#4527636)
    Kerberos is the security core of some very large systems.... For example at the University I attend, logins on all accounts on the campus wide computing infastructure are done through kerberos. AFS file system tickets are done with kerberos. Authentication for logging into class registration is done through kerberos. And the list goes on. If someone managed to root one of the main kdc servers and compromise a bunch of accounts, the person could create mischeif on a rather large scale.

    I wonder how much you could do before you got noticed, but even if you managed to copy over the encrypted password files, I'm sure you could find some that fell to cracking software.

    The ramifications of a flaw in a kerberos implementation is a great deal more important than a flaw in outlook. (The importance of this though means this flaw is probably going to be patched faster than a speeding bullet!)

    • I wonder how much you could do before you got noticed, but even if you managed to copy over the encrypted password files, I'm sure you could find some that fell to cracking software.

      Just copy the Kerberos secrets database and you can grant yourself tickets to impersonate anyone you want. I am not a Kerberos admin, but I believe in general changing said secret is far from trivial, because every single service provider on the network must be updated.

      (This is by design - the whole K architecture is designed around an ultimately trusted KDC which is known to the services via some sort of shared secret.)

  • by dananderson ( 1880 ) on Friday October 25, 2002 @12:26AM (#4527668) Homepage
    kadmin4 has a history of buffer overflow and security bugs.

    Unless you need backward compatibility with Kerberos v4 (most people should use v5 nowadays), disable it.

    Lose kadmin4 and disable starting krb524d in /etc/init.d/

  • C programming (Score:4, Insightful)

    by g4dget ( 579145 ) on Friday October 25, 2002 @12:54AM (#4527738)
    "We're smart, we're careful, we can write code in C that doesn't have buffer overflows." Yeah, right. If MIT hackers can't do it, if Microsoft can't do it, who can?
    • What would you rather use, Java? No buffer overflows, maybe, but it's by no means immune to logic flaws -- and those are a lot harder to track down and fix.

      The point is that if a programmer wants to be sloppy and stupid, s/he'll find a way to be sloppy and stupid, no matter what strange constraints the language imposes.
      • Re:C programming (Score:3, Informative)

        by HiThere ( 15173 )
        Languages without buffer overflows:
        Ada*, Python, Ruby, Pascal, Clean (well, that's windows only), Eiffel, OCaML, APL, PL/1**.

        Some of these languages are relatively slow. Ada is as fast as C, and as powerful as C++, but a pain to learn. Eiffel differs greatly between implementations, and is *extremely* dependant on how you specify compile time options. If you have all possible checks on, then it is slow. If you turn them off, then it is fast. And you can fine-tune it so that some routines have check on and others don't. Python and Ruby are "reasonably fast", but certainly not speedy. I don't know Clean or OCaML, but for some things OCaML is quite fast. APL is... well, it's APL. The original write-only language. I never learned it well, so I can't speak to it's advantages and disadvantages, but at one point CDC was considering choosing it as the language that it's STAR computer would be designed for. I think that meant that a macro processor would be able to translate it into the binary, but I'm not sure. So it must have some capabilities as a systems language.

        * In Ada you can have buffer overflows, but it takes extra work. No automatic garbage collection however.
        ** In PL/1 it depends on the kind of variables allocated. Your programming style determines whether or not buffer overflows are prohibited. But this doesn't mean the kind of constant attention that C requires, as you can control it at variable declaration time.
  • I'm curious to know how these buffer overflow exploits are typically found? Does somebody go through the source (if ineed it is avaiable) and look for potential buffers to overflow? Or is it more like they go through the whole inerface to the thing and check everywhere where they can give some input and see if thy can cause an overflow that way?

Keep up the good work! But please don't ask me to help.

Working...