Ticket History #871: kdcspoof

From joda@pdc.kth.se Fri Aug 4 05:35:41 2000
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id FAA15143
for <bugs@RT-11.MIT.EDU>; Fri, 4 Aug 2000 05:35:40 -0400 (EDT)
Received: from blubb.pdc.kth.se (blubb.pdc.kth.se [130.237.221.147])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id FAA25880
for <krb5-bugs@mit.edu>; Fri, 4 Aug 2000 05:35:39 -0400 (EDT)
Received: from joda by blubb.pdc.kth.se with local (Exim 3.13 #1)
id 13Kdru-0007EI-00; Fri, 04 Aug 2000 11:34:18 +0200
Message-Id: <xof66phcque.fsf@blubb.pdc.kth.se>
Date: 04 Aug 2000 11:34:17 +0200
From: joda@pdc.kth.se (Johan Danielsson)
To: Dug Song <dugsong@monkey.org>
Cc: heimdal-bugs@pdc.kth.se, krb5-bugs@mit.edu, security@microsoft.com,
support@transarc.com
In-Reply-To: Dug Song's message of "Fri, 4 Aug 2000 05:11:01 -0400 (EDT)"
Subject: Re: kdcspoof
References: <Pine.BSO.4.20.0008040445420.7307-100000@naughty.monkey.org>


State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Wed Feb 7 19:39:48 2001
State-Changed-Why:

replies should go to PR #871

Dug Song <dugsong@monkey.org> writes:


No, but there are situation where you can't protect yourself, for
instance if you don't have a keytab you can use. One example of an
application that I know (might) have this problem is xdm, if it
doesn't run as root.

/Johan

From dugsong@monkey.org Fri Aug 4 05:11:08 2000
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id FAA15083
for <bugs@RT-11.MIT.EDU>; Fri, 4 Aug 2000 05:11:03 -0400 (EDT)
Received: from naughty.monkey.org (IDENT:smtp@naughty.monkey.org [63.77.239.20])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id FAA24922
for <krb5-bugs@mit.edu>; Fri, 4 Aug 2000 05:11:02 -0400 (EDT)
Received: by naughty.monkey.org (Postfix, from userid 1001)
id B14D3108674; Fri, 4 Aug 2000 05:11:01 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
by naughty.monkey.org (Postfix) with ESMTP
id A7A35107700; Fri, 4 Aug 2000 05:11:01 -0400 (EDT)
Message-Id: <Pine.BSO.4.20.0008040445420.7307-100000@naughty.monkey.org>
Date: Fri, 4 Aug 2000 05:11:01 -0400 (EDT)
From: Dug Song <dugsong@monkey.org>
To: heimdal@pdc.kth.se, kth-bugs@pdc.kth.se, krb5-bugs@mit.edu,
security@microsoft.com, support@transarc.com
Subject: kdcspoof

you guys aren't vulnerable to this, right?

http://www.monkey.org/~dugsong/kdcspoof-1.0.tar.gz

just want to make sure before i release it, in about a week or so.

it's an ancient, well-known vulnerability, well-documented in even the
oldest Kerberos code. but i'm sure there are plenty of new implementors
who don't know they have to verify the returned TGT to permit login.

the attack is really only effective either on the LAN, or via DNS
poisoning or route redirection, so it's not all that urgent, really.

-d.

---
http://www.monkey.org/~dugsong/


From: joda@pdc.kth.se (Johan Danielsson)
To: Dug Song <dugsong@monkey.org>
Cc: heimdal-bugs@pdc.kth.se, krb5-bugs@mit.edu, security@microsoft.com,
support@transarc.com
In-Reply-To: Dug Song's message of "Fri, 4 Aug 2000 05:11:01 -0400 (EDT)"
Subject: Re: kdcspoof
Date: 04 Aug 2000 11:34:17 +0200

Dug Song <dugsong@monkey.org> writes:


No, but there are situation where you can't protect yourself, for
instance if you don't have a keytab you can use. One example of an
application that I know (might) have this problem is xdm, if it
doesn't run as root.

/Johan

Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Mon Mar 26 22:40:55 2001
Responsible-Changed-Why:

Changed category.