From ghudson@MIT.EDU Mon Nov 10 20:15:35 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA08134 for <bugs@RT-11.MIT.EDU>; Mon, 10 Nov 1997 20:15:34 -0500
Received: from MARY-KAY-COMMANDOS.MIT.EDU by MIT.EDU with SMTP
id AB10384; Mon, 10 Nov 97 20:15:39 EST
Received: by mary-kay-commandos.MIT.EDU (SMI-8.6/4.7) id UAA00662; Mon, 10 Nov 1997 20:15:25 -0500
Message-Id: <199711110115.UAA00662@mary-kay-commandos.MIT.EDU>
Date: Mon, 10 Nov 1997 20:15:25 -0500
From: ghudson@MIT.EDU
Reply-To: ghudson@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: Ticket-forwarding security hole
X-Send-Pr-Version: 3.99
Architecture: sun4
invoking login. At this point, the user might delete the ticket file
and replace it with a symlink. login.c will then read in the ticket
file and write out a new one. Or it might destroy the file if the
login fails. Either way, a security hole.
change forward.c and then fix kshd to do the chown since kshd does not
invoke login. Fixing telnetd should involve simply deleting some code.
Index: krshd.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/appl/bsd/krshd.c,v
retrieving revision 1.6
diff -c -r1.6 krshd.c
*** krshd.c 1997/10/21 02:01:27 1.6
--- krshd.c 1997/10/25 22:58:15
***************
*** 1721,1726 ****
--- 1721,1729 ----
krb5_authenticator *authenticator;
krb5_ticket *ticket;
krb5_rcache rcache;
+ struct passwd *pwd;
+ uid_t uid;
+ gid_t gid;
*valid_checksum = 0;
len = sizeof(laddr);
***************
*** 1876,1885 ****
}
if (inbuf.length) { /* Forwarding being done, read creds */
if ((status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
! ticket, locuser, &ccache))) {
error("Can't get forwarded credentials: %s\n",
error_message(status));
exit(1);
}
}
--- 1879,1900 ----
}
if (inbuf.length) { /* Forwarding being done, read creds */
+ pwd = getpwnam(locuser);
+ if (!pwd) {
+ error("Login incorrect.\n");
+ exit(1);
+ }
+ uid = pwd->pw_uid;
+ gid = pwd->pw_gid;
if ((status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
! ticket, &ccache))) {
error("Can't get forwarded credentials: %s\n",
error_message(status));
+ exit(1);
+ }
+ if (chown(krb5_cc_get_name(bsd_context, ccache), uid, gid) == -1) {
+ error("Can't chown forwarded credentials: %s\n",
+ error_message(errno));
exit(1);
}
}
Index: forward.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/appl/bsd/forward.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 forward.c
*** forward.c 1996/09/12 04:42:06 1.1.1.1
--- forward.c 1997/10/24 22:15:20
***************
*** 21,27 ****
#if defined(KERBEROS) || defined(KRB5)
#include <stdio.h>
- #include <pwd.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
--- 21,26 ----
***************
*** 30,51 ****
/* Decode, decrypt and store the forwarded creds in the local ccache. */
krb5_error_code
! rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername, ccache)
krb5_context context;
krb5_auth_context auth_context;
krb5_data *inbuf;
krb5_ticket *ticket;
- char *lusername;
krb5_ccache *ccache;
{
krb5_creds ** creds;
krb5_error_code retval;
char ccname[35];
- struct passwd *pwd;
*ccache = NULL;
- if (!(pwd = (struct passwd *) getpwnam(lusername)))
- return ENOENT;
if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
return(retval);
--- 29,46 ----
/* Decode, decrypt and store the forwarded creds in the local ccache. */
krb5_error_code
! rd_and_store_for_creds(context, auth_context, inbuf, ticket, ccache)
krb5_context context;
krb5_auth_context auth_context;
krb5_data *inbuf;
krb5_ticket *ticket;
krb5_ccache *ccache;
{
krb5_creds ** creds;
krb5_error_code retval;
char ccname[35];
*ccache = NULL;
if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
return(retval);
***************
*** 67,85 ****
if (retval = krb5_cc_store_cred(context, *ccache, *creds))
goto cleanup;
- if (retval = chown(ccname+5, pwd->pw_uid, -1)) {
- /*
- * If the file owner is the same as the user id then return ok.
- * This is for testing only --proven
- */
- struct stat statbuf;
-
- if (stat(ccname + 5, & statbuf) == 0) {
- if (statbuf.st_uid == pwd->pw_uid)
- retval = 0;
- }
- }
-
cleanup:
krb5_free_creds(context, *creds);
return retval;
--- 62,67 ----
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Wed Nov 12 19:07:29 1997
Responsible-Changed-Why:
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Wed Nov 12 19:07:50 1997
State-Changed-Why:
Fixed in the trunk. Will be included in 1.0.3 patch release.
src/appl/bsd/forward.c 1.18
src/appl/bsd/krshd.c 5.70
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id UAA08134 for <bugs@RT-11.MIT.EDU>; Mon, 10 Nov 1997 20:15:34 -0500
Received: from MARY-KAY-COMMANDOS.MIT.EDU by MIT.EDU with SMTP
id AB10384; Mon, 10 Nov 97 20:15:39 EST
Received: by mary-kay-commandos.MIT.EDU (SMI-8.6/4.7) id UAA00662; Mon, 10 Nov 1997 20:15:25 -0500
Message-Id: <199711110115.UAA00662@mary-kay-commandos.MIT.EDU>
Date: Mon, 10 Nov 1997 20:15:25 -0500
From: ghudson@MIT.EDU
Reply-To: ghudson@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: Ticket-forwarding security hole
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 494
>Category: krb5-appl
>Synopsis: krlogind, telnetd chown tickets before invoking login
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Nov 10 20:16:00 EST 1997
>Last-Modified: Thu Nov 13 20:25:11 EST 1997
>Originator: Greg Hudson
>Organization:
MIT>Category: krb5-appl
>Synopsis: krlogind, telnetd chown tickets before invoking login
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tlyu
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Nov 10 20:16:00 EST 1997
>Last-Modified: Thu Nov 13 20:25:11 EST 1997
>Originator: Greg Hudson
>Organization:
Show quoted text
>Release: 1.0
>Environment:
System: SunOS mary-kay-commandos 5.5.1 Generic_103640-12 sun4m sparc SUNW,SPARCstation-5>Environment:
Architecture: sun4
Show quoted text
>Description:
The krb5 klogind and telnetd chown the forwarded ticket file beforeinvoking login. At this point, the user might delete the ticket file
and replace it with a symlink. login.c will then read in the ticket
file and write out a new one. Or it might destroy the file if the
login fails. Either way, a security hole.
Show quoted text
>How-To-Repeat:
>Fix:
This is a fix for klogind, which is the hard part because you have to>Fix:
change forward.c and then fix kshd to do the chown since kshd does not
invoke login. Fixing telnetd should involve simply deleting some code.
Index: krshd.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/appl/bsd/krshd.c,v
retrieving revision 1.6
diff -c -r1.6 krshd.c
*** krshd.c 1997/10/21 02:01:27 1.6
--- krshd.c 1997/10/25 22:58:15
***************
*** 1721,1726 ****
--- 1721,1729 ----
krb5_authenticator *authenticator;
krb5_ticket *ticket;
krb5_rcache rcache;
+ struct passwd *pwd;
+ uid_t uid;
+ gid_t gid;
*valid_checksum = 0;
len = sizeof(laddr);
***************
*** 1876,1885 ****
}
if (inbuf.length) { /* Forwarding being done, read creds */
if ((status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
! ticket, locuser, &ccache))) {
error("Can't get forwarded credentials: %s\n",
error_message(status));
exit(1);
}
}
--- 1879,1900 ----
}
if (inbuf.length) { /* Forwarding being done, read creds */
+ pwd = getpwnam(locuser);
+ if (!pwd) {
+ error("Login incorrect.\n");
+ exit(1);
+ }
+ uid = pwd->pw_uid;
+ gid = pwd->pw_gid;
if ((status = rd_and_store_for_creds(bsd_context, auth_context, &inbuf,
! ticket, &ccache))) {
error("Can't get forwarded credentials: %s\n",
error_message(status));
+ exit(1);
+ }
+ if (chown(krb5_cc_get_name(bsd_context, ccache), uid, gid) == -1) {
+ error("Can't chown forwarded credentials: %s\n",
+ error_message(errno));
exit(1);
}
}
Index: forward.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/appl/bsd/forward.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 forward.c
*** forward.c 1996/09/12 04:42:06 1.1.1.1
--- forward.c 1997/10/24 22:15:20
***************
*** 21,27 ****
#if defined(KERBEROS) || defined(KRB5)
#include <stdio.h>
- #include <pwd.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
--- 21,26 ----
***************
*** 30,51 ****
/* Decode, decrypt and store the forwarded creds in the local ccache. */
krb5_error_code
! rd_and_store_for_creds(context, auth_context, inbuf, ticket, lusername, ccache)
krb5_context context;
krb5_auth_context auth_context;
krb5_data *inbuf;
krb5_ticket *ticket;
- char *lusername;
krb5_ccache *ccache;
{
krb5_creds ** creds;
krb5_error_code retval;
char ccname[35];
- struct passwd *pwd;
*ccache = NULL;
- if (!(pwd = (struct passwd *) getpwnam(lusername)))
- return ENOENT;
if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
return(retval);
--- 29,46 ----
/* Decode, decrypt and store the forwarded creds in the local ccache. */
krb5_error_code
! rd_and_store_for_creds(context, auth_context, inbuf, ticket, ccache)
krb5_context context;
krb5_auth_context auth_context;
krb5_data *inbuf;
krb5_ticket *ticket;
krb5_ccache *ccache;
{
krb5_creds ** creds;
krb5_error_code retval;
char ccname[35];
*ccache = NULL;
if (retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))
return(retval);
***************
*** 67,85 ****
if (retval = krb5_cc_store_cred(context, *ccache, *creds))
goto cleanup;
- if (retval = chown(ccname+5, pwd->pw_uid, -1)) {
- /*
- * If the file owner is the same as the user id then return ok.
- * This is for testing only --proven
- */
- struct stat statbuf;
-
- if (stat(ccname + 5, & statbuf) == 0) {
- if (statbuf.st_uid == pwd->pw_uid)
- retval = 0;
- }
- }
-
cleanup:
krb5_free_creds(context, *creds);
return retval;
--- 62,67 ----
Show quoted text
>Audit-Trail:
Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Wed Nov 12 19:07:29 1997
Responsible-Changed-Why:
State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Wed Nov 12 19:07:50 1997
State-Changed-Why:
Fixed in the trunk. Will be included in 1.0.3 patch release.
src/appl/bsd/forward.c 1.18
src/appl/bsd/krshd.c 5.70
Show quoted text
>Unformatted: