From ali_m_000@hotmail.com Wed Mar 13 06:02:12 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id GAA18739 for ; Wed, 13 Mar 2002 06:02:08 -0500 (EST) Received: from hotmail.com (f51.pav1.hotmail.com [64.4.31.51]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA05300 for ; Wed, 13 Mar 2002 06:02:07 -0500 (EST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 13 Mar 2002 03:02:06 -0800 Received: from 160.83.32.30 by pv1fd.pav1.hotmail.msn.com with HTTP; Wed, 13 Mar 2002 11:02:06 GMT Message-Id: Date: Wed, 13 Mar 2002 11:02:06 +0000 From: "Ali M" To: krb5-bugs@mit.edu Subject: telnet core dumps with Windows 2000 KDC >Number: 1073 >Category: telnet >Synopsis: telnet core dumps with Windows 2000 KDC >Confidential: yes >Severity: serious >Priority: high >Responsible: hartmans >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Wed Mar 13 06:03:00 EST 2002 >Last-Modified: Sun Apr 7 19:01:55 EDT 2002 >Originator: >Organization: >Release: >Environment: >Description: >How-To-Repeat: >Fix: >Audit-Trail: Responsible-Changed-From-To: gnats-admin->tlyu Responsible-Changed-By: hartmans Responsible-Changed-When: Wed Mar 13 08:49:13 2002 Responsible-Changed-Why: Tom could you look at this and see if it can be exploited on the server side? Responsible-Changed-From-To: tlyu->hartmans Responsible-Changed-By: hartmans Responsible-Changed-When: Thu Mar 14 12:13:17 2002 Responsible-Changed-Why: I agreed to take this at the meeting. State-Changed-From-To: open-closed State-Changed-By: hartmans State-Changed-When: Sun Apr 7 19:01:34 2002 State-Changed-Why: A fix for this bug has been checked in and will appear in the upcoming 1.2.5 release. >Unformatted: Submitter-Id: net Originator: Super-User Organization: Confidential: no Synopsis: Telnet dies if TGT Authorization-Data field too large Severity: non-critical Priority: low Category: krb5-appl Class: change-request Release: krb5-1.2.3 Environment: System: SunOS secsol5 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-5_10 Architecture: sun4 Description: When using MIT kerberos against a Windows 2000 KDC, obtaining a TGT for a user that is a member of many Windows groups causes the Authorization-Data field of the TGT to become very large. Telnet contains 2048 byte buffers for the network output ring and also as a work buffer in libtelnet/kerberos5.c When the TGT is too large, the buffer in kerberos5.c overflows and overwrites the variables declared after it, particularly the krb5_context structure - a core dump soon follows! How-To-Repeat: Create a user account at the Win2K KDC and make it a member of many groups - 10 to 12 is usually sufficient. Fix: Personally I increased the size of the static buffer in libtelnet/kerberos5.c line 99: static unsigned char str_data[2048] and the network output ring buffer telnet/network.c line 56: unsigned char netobuf[2*BUFSIZ], to be big enough to accomodate the largest expected user account on the company's network. I would recommend that any future enhancement to telnet would use a dynamically allocated buffer in kerberos5.c and that there be some way of flushing the ring buffer so that a large TGT can be processed in a loop, since the TGT size is not known at the time the ring buffer is allocated. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.