Users login

Create an account »


Users login

Home » Hacking News » FreeBSD-SA-01:25 Security Advisory

FreeBSD-SA-01:25 Security Advisory

by Phiber on February 16th, 2001 The advisory describes three vulnerabilities: first, an overflow in the libkrb KerberosIV authentication library, second, improper filtering of environmental variables by the KerberosIV-adapted telnet daemon, and finally, a temporary file vulnerability in the KerberosIV ticket management code.

A buffer overflow exists in the libkrb Kerberos authentication library, which may be exploitable by malicious remote authentication servers. This vulnerability exists in the kdc_reply_cipher() call. An attacker may be able to overflow this buffer during an authentication exchange, allowing the attacker to execute arbitrary code with the privileges of the caller of kdc_reply_cipher()....

The telnet protocol allows for UNIX environmental variables to be
passed from the client to the user login session on the server. The
base system telnet daemon, telnetd, goes the great lengths to limit
the variables passed so as to prevent them from improperly influencing
the login and authentication mechanisms. The telnet daemon used with
KerberosIV relied on an incomplete list of improper environment
variables to remove from the environment before executing the login
program. This is a similar vulnerability to that described in
Security Advisory 00:69.

Two environment variables have been identified that place users of
Kerberos at risk. The first allows the remote user to change the
Kerberos server used for authentication requests, increasing the
opportunity for an attacker to exploit the buffer overflow. The
second allows the configuration directory for Kerberos to be modified,
allowing an attacker with the right to modify the local file system to
cause Kerberos to autheticate using an improper configuration
(including Kerberos realm and server configuration, as well as
srvtab). These vulnerabilities may be used to leverage root access.


If your system has the KerberosIV distribution installed, remote and
local users may be able to obtain root privileges on the local system.

Quick fix:

Upgrade your vulnerable FreeBSD system to 4.2-STABLE or
3.5-STABLE after the respective correction dates.

More information on this vulnerability and another solution is available in the advisory.

Download this advisory


Visit FreeBSD Security

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »