Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id lBCIdoHW011276; Wed, 12 Dec 2007 13:39:50 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lBCIdjdI007342; Wed, 12 Dec 2007 13:39:45 -0500 Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lBCIdi9K007332 for ; Wed, 12 Dec 2007 13:39:44 -0500 Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id lBCIdgD0002397 for ; Wed, 12 Dec 2007 13:39:42 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id lBCIdfXt008445 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Wed, 12 Dec 2007 13:39:42 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id lBCIdfb4019613; Wed, 12 Dec 2007 13:39:41 -0500 (EST) To: krb5-bugs@MIT.EDU Subject: double fclose() in krb5_def_store_mkey() [CVE-2007-5972] From: Tom Yu Date: Wed, 12 Dec 2007 13:39:41 -0500 Message-ID: Lines: 31 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-BY: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU X-RT-Original-Encoding: us-ascii Content-Length: 1410 This is one of the Venustech AD-LAB alleged vulnerabilities. CVE-2007-5972 http://bugs.gentoo.org/show_bug.cgi?id=199211 This bug is a double-free (actually a double-fclose) bug which is not a vulnerability due to inaccessibility to an attacker. If the fwrite() call in krb5_def_store_mkey() (in src/lib/kdb/kdb_default.c) fails, the file pointer "kf" may have fclose() called on it twice. 180 if ((fwrite((krb5_pointer) &enctype, 181 2, 1, kf) != 1) || 182 (fwrite((krb5_pointer) &key->length, 183 sizeof(key->length), 1, kf) != 1) || 184 (fwrite((krb5_pointer) key->contents, 185 sizeof(key->contents[0]), (unsigned) key->length, 186 kf) != key->length)) { 187 retval = errno; 188 (void) fclose(kf); 189 } 190 if (fclose(kf) == EOF) 191 retval = errno; The relevant code stashes a KDC master key. It is only run by explicit action of a KDC administrator, who already has all the privileges that exploiting this bug would gain. A properly configured KDC will have no unprivileged users having shell or other login access; therefore, an unprivileged user cannot cause the fwrite() failure necessary for triggering this bug. Also, under normal conditions, the code is run exactly once in the lifetime of a KDC: at database creation time.