From ali_m_000@hotmail.com Wed Mar 13 06:02:12 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id GAA18739
for <bugs@RT-11.mit.edu>; Wed, 13 Mar 2002 06:02:08 -0500 (EST)
Received: from hotmail.com (f51.pav1.hotmail.com [64.4.31.51])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA05300
for <krb5-bugs@mit.edu>; Wed, 13 Mar 2002 06:02:07 -0500 (EST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 13 Mar 2002 03:02:06 -0800
Received: from 160.83.32.30 by pv1fd.pav1.hotmail.msn.com with HTTP;
Wed, 13 Mar 2002 11:02:06 GMT
Message-Id: <F51MdzUMkVxoNJ0Dla7000156b4@hotmail.com>
Date: Wed, 13 Mar 2002 11:02:06 +0000
From: "Ali M" <ali_m_000@hotmail.com>
To: krb5-bugs@mit.edu
Subject: telnet core dumps with Windows 2000 KDC
Responsible-Changed-From-To: gnats-admin->tlyu
Responsible-Changed-By: hartmans
Responsible-Changed-When: Wed Mar 13 08:49:13 2002
Responsible-Changed-Why:
Tom could you look at this and see if it can be exploited on the server side?
Responsible-Changed-From-To: tlyu->hartmans
Responsible-Changed-By: hartmans
Responsible-Changed-When: Thu Mar 14 12:13:17 2002
Responsible-Changed-Why:
I agreed to take this at the meeting.
State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Sun Apr 7 19:01:34 2002
State-Changed-Why:
A fix for this bug has been checked in and will appear in the upcoming 1.2.5 release.
Originator: Super-User
Organization:
Confidential: no
Synopsis: Telnet dies if TGT Authorization-Data field too large
Severity: non-critical
Priority: low
Category: krb5-appl
Class: change-request
Release: krb5-1.2.3
Environment:
System: SunOS secsol5 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
Description:
When using MIT kerberos against a Windows 2000 KDC, obtaining a TGT
for a user that is a member of many Windows groups causes the
Authorization-Data field of the TGT to become very large. Telnet contains
2048 byte buffers for the network output ring and also as a work buffer
in libtelnet/kerberos5.c When the TGT is too large, the buffer in
kerberos5.c overflows and overwrites the variables declared after it,
particularly the krb5_context structure - a core dump soon follows!
How-To-Repeat:
Create a user account at the Win2K KDC and make it a member of many
groups - 10 to 12 is usually sufficient.
Fix:
Personally I increased the size of the static buffer in
libtelnet/kerberos5.c line 99: static unsigned char str_data[2048]
and the network output ring buffer
telnet/network.c line 56: unsigned char netobuf[2*BUFSIZ],
to be big enough to accomodate the largest expected user account on the
company's network.
I would recommend that any future enhancement to telnet would use a
dynamically allocated buffer in kerberos5.c and that there be some
way of flushing the ring buffer so that a large TGT can be processed
in a loop, since the TGT size is not known at the time the ring buffer
is allocated.
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id GAA18739
for <bugs@RT-11.mit.edu>; Wed, 13 Mar 2002 06:02:08 -0500 (EST)
Received: from hotmail.com (f51.pav1.hotmail.com [64.4.31.51])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA05300
for <krb5-bugs@mit.edu>; Wed, 13 Mar 2002 06:02:07 -0500 (EST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 13 Mar 2002 03:02:06 -0800
Received: from 160.83.32.30 by pv1fd.pav1.hotmail.msn.com with HTTP;
Wed, 13 Mar 2002 11:02:06 GMT
Message-Id: <F51MdzUMkVxoNJ0Dla7000156b4@hotmail.com>
Date: Wed, 13 Mar 2002 11:02:06 +0000
From: "Ali M" <ali_m_000@hotmail.com>
To: krb5-bugs@mit.edu
Subject: telnet core dumps with Windows 2000 KDC
Show quoted text
>Number: 1073
>Category: telnet
>Synopsis: telnet core dumps with Windows 2000 KDC
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: hartmans
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Mar 13 06:03:00 EST 2002
>Last-Modified: Sun Apr 7 19:01:55 EDT 2002
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Category: telnet
>Synopsis: telnet core dumps with Windows 2000 KDC
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: hartmans
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Mar 13 06:03:00 EST 2002
>Last-Modified: Sun Apr 7 19:01:55 EDT 2002
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->tlyu
Responsible-Changed-By: hartmans
Responsible-Changed-When: Wed Mar 13 08:49:13 2002
Responsible-Changed-Why:
Tom could you look at this and see if it can be exploited on the server side?
Responsible-Changed-From-To: tlyu->hartmans
Responsible-Changed-By: hartmans
Responsible-Changed-When: Thu Mar 14 12:13:17 2002
Responsible-Changed-Why:
I agreed to take this at the meeting.
State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Sun Apr 7 19:01:34 2002
State-Changed-Why:
A fix for this bug has been checked in and will appear in the upcoming 1.2.5 release.
Show quoted text
>Unformatted:
Submitter-Id: netOriginator: Super-User
Organization:
Confidential: no
Synopsis: Telnet dies if TGT Authorization-Data field too large
Severity: non-critical
Priority: low
Category: krb5-appl
Class: change-request
Release: krb5-1.2.3
Environment:
System: SunOS secsol5 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
Description:
When using MIT kerberos against a Windows 2000 KDC, obtaining a TGT
for a user that is a member of many Windows groups causes the
Authorization-Data field of the TGT to become very large. Telnet contains
2048 byte buffers for the network output ring and also as a work buffer
in libtelnet/kerberos5.c When the TGT is too large, the buffer in
kerberos5.c overflows and overwrites the variables declared after it,
particularly the krb5_context structure - a core dump soon follows!
How-To-Repeat:
Create a user account at the Win2K KDC and make it a member of many
groups - 10 to 12 is usually sufficient.
Fix:
Personally I increased the size of the static buffer in
libtelnet/kerberos5.c line 99: static unsigned char str_data[2048]
and the network output ring buffer
telnet/network.c line 56: unsigned char netobuf[2*BUFSIZ],
to be big enough to accomodate the largest expected user account on the
company's network.
I would recommend that any future enhancement to telnet would use a
dynamically allocated buffer in kerberos5.c and that there be some
way of flushing the ring buffer so that a large TGT can be processed
in a loop, since the TGT size is not known at the time the ring buffer
is allocated.
Show quoted text
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.