{"vuid":"VU#356961","idnumber":"356961","name":"MIT Kerberos kadmind RPC library gssrpc__svcauth_gssapi() uninitialized pointer free vulnerability","keywords":["MIT","Kerberos","kadmind","remote code execution","krb5-06262007","apple_2007-007"],"overview":"The MIT Kerberos administration daemon (kadmind) can free an uninitialized pointer, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.","clean_desc":"The gssrpc__svcauth_gssapi() function used by the Kerberos administration daemon can free an uninitialized pointer when receiving a specially crafted RPC request. This vulnerability may cause memory corruption that could allow a remote, unauthenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-004: The function gssrpc__svcauth_gssapi() in src/lib/rpc/svc_auth_gssapi.c declares an automatic variable \"creds\" of type auth_gssapi_creds. This type includes a gss_buffer_desc (which includes a pointer to void used as a pointer to a buffer of bytes). If gssrpc__svcauth_gssapi() receives an RPC credential with a length of zero, it jumps to the label \"error\", which executes some cleanup code. At this point, the gss_buffer_desc in \"creds\" is not yet initialized, and the cleanup code calls xdr_free() on \"creds\", which then attempts to free the memory pointed to by the uninitialized \"value\" member of the gss_buffer_desc. Exploitation of freeing of invalid pointers is believed to be difficult, and depends on a variety of factors specific to a given malloc implementation. Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.1. MIT has been provided with proof-of-concept exploit code that causes a denial of service, but it's not clear whether the exploit code is publicly available yet. This vulnerability occurred as a result of failing to comply with rule EXP33-C of the CERT C Programming Language Secure Coding Standard.","impact":"A remote, unauthenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.","resolution":"Apply a patch\nA patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-004. MIT also states that this will be addressed in the upcoming krb5-1.6.2 and krb5-1.5.4 releases.","workarounds":"","sysaffected":"","thanks":"Thanks to  MIT for reporting this vulnerability, who in turn credit Wei Wang of McAfee Avert Labs.","author":"This document was written by Will Dormann.","public":["http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt","http://sunsolve.sun.com/search/document.do?assetkey=1-26-102914-1","http://secunia.com/advisories/25841/","http://secunia.com/advisories/25800/","http://secunia.com/advisories/26033/","http://docs.info.apple.com/article.html?artnum=306172"],"cveids":["CVE-2007-2442"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2007-06-13T12:21:54Z","publicdate":"2007-06-26T00:00:00Z","datefirstpublished":"2007-06-26T18:39:57Z","dateupdated":"2007-08-08T16:47:40Z","revision":19,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"16","cam_exploitation":"0","cam_internetinfrastructure":"16","cam_population":"10","cam_impact":"20","cam_easeofexploitation":"3","cam_attackeraccessrequired":"15","cam_scorecurrent":"5.4","cam_scorecurrentwidelyknown":"6.075","cam_scorecurrentwidelyknownexploited":"9.45","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":5.4,"vulnote":null}