Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 2088 From jim@jtan.com Wed Jan 26 18:46:37 2000 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id SAA27995 for ; Wed, 26 Jan 2000 18:46:33 -0500 (EST) Received: from ganymede.jtan.com by MIT.EDU with SMTP id AA21494; Wed, 26 Jan 00 18:46:02 EST Received: from io.jtan.net (jim@io.jtan.com [207.106.84.176]) by ganymede.jtan.net (8.9.3/8.9.3) with ESMTP id SAA11009 for ; Wed, 26 Jan 2000 18:46:31 -0500 (EST) Received: (from jim@localhost) by io.jtan.net (8.9.1/8.9.1) id SAA15961 for krb5-bugs@mit.edu; Wed, 26 Jan 2000 18:46:28 -0500 (EST) Message-Id: <20000126184627.A15861@jtan.com> Date: Wed, 26 Jan 2000 18:46:27 -0500 From: Jim Paris To: krb5-bugs@MIT.EDU Subject: Security >Number: 818 >Category: krb5-clients >Synopsis: Security >Confidential: yes >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Wed Jan 26 18:47:00 EST 2000 >Last-Modified: Tue Sep 18 17:46:12 EDT 2001 >Originator: Jim Paris >Organization: >Release: >Environment: >Description: I've found a somewhat nasty bug in one of the Kerberos utilities that allows any local users to gain root. I just finished developing a working exploit for Linux and verified that it does, in fact, work. Since this affects a lot of machines (including all Athena machines here at MIT), I'd like to see a fix before I post details to Bugtraq. Who should I talk to about this? -jim >How-To-Repeat: >Fix: >Audit-Trail: Responsible-Changed-From-To: gnats-admin->krb5-unassigned Responsible-Changed-By: raeburn Responsible-Changed-When: Tue Feb 22 16:31:16 2000 Responsible-Changed-Why: Reformat, fix category. State-Changed-From-To: open-closed State-Changed-By: tlyu State-Changed-When: Tue Sep 18 17:42:32 2001 State-Changed-Why: Fixed out of band a while ago. For the record, these were the krb4 rd_req hole and the pre-1.1.1 ksu hole. >Unformatted: