Skip Menu |

Download (untitled) / with headers
text/plain 3.6KiB
From Wed Mar 13 06:02:12 2002
Received: from (FORT-POINT-STATION.MIT.EDU [])
by (8.9.3/8.9.3) with ESMTP id GAA18739
for <>; Wed, 13 Mar 2002 06:02:08 -0500 (EST)
Received: from ( [])
by (8.9.2/8.9.2) with ESMTP id GAA05300
for <>; Wed, 13 Mar 2002 06:02:07 -0500 (EST)
Received: from mail pickup service by with Microsoft SMTPSVC;
Wed, 13 Mar 2002 03:02:06 -0800
Received: from by with HTTP;
Wed, 13 Mar 2002 11:02:06 GMT
Message-Id: <>
Date: Wed, 13 Mar 2002 11:02:06 +0000
From: "Ali M" <>
Subject: telnet core dumps with Windows 2000 KDC

Show quoted text
>Number: 1073
>Category: telnet
>Synopsis: telnet core dumps with Windows 2000 KDC
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: hartmans
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Mar 13 06:03:00 EST 2002
>Last-Modified: Sun Apr 7 19:01:55 EDT 2002

Responsible-Changed-From-To: gnats-admin->tlyu
Responsible-Changed-By: hartmans
Responsible-Changed-When: Wed Mar 13 08:49:13 2002

Tom could you look at this and see if it can be exploited on the server side?

Responsible-Changed-From-To: tlyu->hartmans
Responsible-Changed-By: hartmans
Responsible-Changed-When: Thu Mar 14 12:13:17 2002
I agreed to take this at the meeting.

State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Sun Apr 7 19:01:34 2002
A fix for this bug has been checked in and will appear in the upcoming 1.2.5 release.

Show quoted text
Submitter-Id: net
Originator: Super-User
Confidential: no
Synopsis: Telnet dies if TGT Authorization-Data field too large
Severity: non-critical
Priority: low
Category: krb5-appl
Class: change-request
Release: krb5-1.2.3
System: SunOS secsol5 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4


When using MIT kerberos against a Windows 2000 KDC, obtaining a TGT
for a user that is a member of many Windows groups causes the
Authorization-Data field of the TGT to become very large. Telnet contains
2048 byte buffers for the network output ring and also as a work buffer
in libtelnet/kerberos5.c When the TGT is too large, the buffer in
kerberos5.c overflows and overwrites the variables declared after it,
particularly the krb5_context structure - a core dump soon follows!


Create a user account at the Win2K KDC and make it a member of many
groups - 10 to 12 is usually sufficient.

Personally I increased the size of the static buffer in
libtelnet/kerberos5.c line 99: static unsigned char str_data[2048]
and the network output ring buffer
telnet/network.c line 56: unsigned char netobuf[2*BUFSIZ],
to be big enough to accomodate the largest expected user account on the
company's network.

I would recommend that any future enhancement to telnet would use a
dynamically allocated buffer in kerberos5.c and that there be some
way of flushing the ring buffer so that a large TGT can be processed
in a loop, since the TGT size is not known at the time the ring buffer
is allocated.

Show quoted text
Get your FREE download of MSN Explorer at