Specifications
SAFER – Vol. 3, Issue 6 16 © 2000 The Relay Group
Multiple Vendor Kerberos 5/4 Compatibility krb_rd_req() Buffer Overflow Vulnerability
Released May 16, 2000
Affects MIT Kerberos
Reference http://www.securityfocus.com/bid/1220
Problem
- Several buffer overflow vulnerabilities exist in Kerberos 5 implementations due to buffer overflows
in the Kerberos 4 compatibility code. These include MIT Kerberos 5 releases 1.0.x, 1.1 and 1.1.1,
MIT Kerberos 4 patch level 10 (and, most likely, prior releases), and Cygnus KerbNet and Network
Security (CNS).
- The main source of problems is due to a buffer overflow in the krb_rd_req() library function. This
function is used by every application that supports Kerberos 4 authentication, including, but not
limited to, kshrd, klogin, telnetd, ftpd, rkinitd, v4rcp and kpopd. Therefore, it is possible for a
remote attacker to exploit this vulnerability and gain root access on affected machines, or obtain
root level access once local.
- A setuid version of v4rcp is shipped with RedHat Linux 6.2, as part of a full install. It is possible to
use this program, to obtain root level access.
- In addition, there are other buffer overruns present in the ksu and krshd sources from MIT. These
problems will be remedied in the same release from MIT that fixes the krrb_rd_req() vulnerability.
SAFER
- Various patches/updates are available.
Hot Area Banner Rotation World-Readable Password Vulnerability
Released May 16, 2000
Affects Hot Area Banner Rotation 1.0
Reference http://www.securityfocus.com/bid/1218
Problem
- Hot Area Banner Rotation 01 and Dream Catcher Advertiser stores its administrative password in
the file adpassword.txt. Although the password is DES encrypted, it is world-readable by any
remote user.
- Thus, a password cracker could be used by a malicious to decrypt it. By default, the password is
'admin' and appears DES encrypted as 'aaLR8vE.jjhss' in adpassword.txt.
- Administrative controls include editing, removing, and adding of advertisement banners.
SAFER
- Set access controls on the file adpasswd.txt to prevent users from retrieving it.
AntiSniff DNS Overflow Vulnerability
Released May 16, 2000
Affects AntiSniff 1.0.1, AntiSniff - Researchers Version 1.0
Reference http://www.securityfocus.com/bid/1207
Problem
- Certain versions of @Stake Inc.'s Antisniffer software contain a remotely exploitable buffer
overflow. AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It
attempts, through a number of tests, to determine if a machine on a local network segment is
listening to traffic that is not directed to it (commonly referred to as sniffing).
- During one particular test there is a problem if a packet that does not adhere to DNS specifications
is sent to the AntiSniff machine. This can result in a buffer overflow on the system running
AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute
arbitrary code on the system.
- This scenario is only possible if AntiSniff is configured to run the DNS test and only during the time
the test is running. Nonetheless, it is a vulnerability that should not be ignored and has even been
found in other promiscuous mode detection programs as well.
SAFER
- Do not run the DNS tests on AntiSniff version 1.01 or the Researchers version 1.0.