Vigil@nce: MIT krb5, denial of service of kpropd
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can send malicious data to the kpropd service of MIT
krb5, in order to block the replication of databases on slave KDC.
– Severity: 2/4
– Creation date: 09/02/2011
IMPACTED PRODUCTS
– Mandriva Enterprise Server
– Mandriva Linux
– MIT krb5
– OpenSUSE
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The kpropd service of MIT krb5 is used by a slave KDC to obtain a
copy of the master KDC database. It can be configured with inetd
or standalone, and in total propagation or incremental propagation
(iprop).
In order to implement iprop, the do_standalone() function was
modified to be called with a special parameter from the do_iprop()
function. In this case, the do_standalone() function manages the
exit value of the child process in a special way. However, because
of missing braces, the normal call to do_standalone() does not
correctly manage the exit code: an error in the child process
stops the daemon, instead of being ignored/handled.
So, when kpropd is configured as standalone with a total
propagation, an attacker can send malicious data to the kpropd
service of MIT krb5, in order to stop ip. The database is then not
replicated on the slave KDC.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MIT-krb5-denial-of-service-of-kpropd-10357