{"vuid":"VU#401660","idnumber":"401660","name":"MIT Kerberos (krb5) ftpd and ksu do not properly validate seteuid() calls","keywords":["Kerberos","MIT implementation","local privilege escalation","ftpd","ksu"],"overview":"Privilege escalation vulnerabilities in MIT krb5 ftpd and ksu may allow an authenticated attacker to execute arbitrary code.","clean_desc":"The MIT krb 5 ftpd and ksu programs contain multiple privilege escalation vulnerabilities. These vulnerabilities are dependent on the host operating system's implementation of the seteuid() system call and result when seteuid() can fail due to resource exhaustion while changing to an unprivileged user ID. Some implementations of seteuid() do not expose the vulnerability. From MIT krb5 Security Advisory 2006-001: The following vulnerabilities may result from unchecked calls to seteuid(). These vulnerabilities are not yet known to exist on any operating system: Unchecked calls to seteuid() in ftpd may allow a local privilege escalation leading to reading, writing, or creating files as root. Unchecked calls to seteuid() in the ksu program may allow a local privilege escalation resulting in filling a file with null bytes as root and then deleting it (the \"kdestroy\" operation).","impact":"An authenticated attacker may be able to execute arbitrary code with root privileges.","resolution":"Upgrade\nThe MIT Kerberos team has released an update to address these issues. See the Systems Affected section of this document for information about specific vendors. Users who compile Kerberos from the original source distribution should see MIT krb5 Security Advisory 2006-001 for more details.","workarounds":"Disable vulnerable programs From MIT krb5 Security Advisory 2006-001:  \"Disable krshd and ftpd, and remove the setuid bit from the ksu binary and the v4rcp binary.\"","sysaffected":"","thanks":"Thanks to the MIT Kerberos Team for reporting this issue. The MIT Kerberos Team in turn thanks \nMichael Calmer and Marcus Me\nissner at SUSE and \nShiva Persaud\n at IBM for providing information about AIX.","author":"This document was written by Ryan Giobbi.","public":["h","t","t","p",":","/","/","w","e","b",".","m","i","t",".","e","d","u","/","K","e","r","b","e","r","o","s","/","a","d","v","i","s","o","r","i","e","s","/","M","I","T","K","R","B","5","-","S","A","-","2","0","0","6","-","0","0","1","-","s","e","t","u","i","d",".","t","x","t"],"cveids":["CVE-2006-3084"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-07-26T15:15:07Z","publicdate":"2006-07-26T00:00:00Z","datefirstpublished":"2006-08-15T20:25:29Z","dateupdated":"2006-08-16T13:36:32Z","revision":40,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"18","cam_exploitation":"0","cam_internetinfrastructure":"9","cam_population":"4","cam_impact":"18","cam_easeofexploitation":"4","cam_attackeraccessrequired":"16","cam_scorecurrent":"2.3328","cam_scorecurrentwidelyknown":"2.5056","cam_scorecurrentwidelyknownexploited":"4.2336","ipprotocol":"tcp","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":2.3328,"vulnote":null}