Subject: NetBSD Security Advisory 2002-026: Buffer overflow in kadmind daemon
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: current-users
Date: 10/21/2002 19:30:51
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-026
		 =================================

Topic:		Buffer overflow in kadmind daemon

Version:	NetBSD-current:	source prior to October 21 2002
		NetBSD-1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	not affected

Severity:	remote buffer overflow, resulting in root exploit

Fixed:		NetBSD-current:		October 22, 2002
		NetBSD-1.6 branch:	October 22, 2002
		NetBSD-1.5 branch:	October 22, 2002


Abstract
========

Kadmind is the server for administrative access to kerberos database,
and comes from the Heimdal Kerberos implementation used by NetBSD.  In
Heimdal releases earlier than 0.5.1 kadmind has a buffer overflow in
the kerberos version 4 compatibility code.

The kadmind daemon has never been enabled by default in NetBSD;
enabling it would require a change in /etc/inetd.conf.


Technical Details
=================

All versions prior to Heimdal 0.5.1 and 0.4enb1 are vulnerable.  NetBSD
1.5, 1.6, and -current (prior to October 21, 2002) ship with a vulnerable
version.

The problem is a buffer overflow in the kerberos version 4 compatibility layer
of kadmind.

See also: http://www.pdc.kth.se/heimdal/


Solutions and Workarounds
=========================

For most users this is not a vital service and is likely not enabled.
The only user of kadmin should be the kdc in a kerberos
realm.  Since the security of the kerberos server very important,
kadmind must be disabled until upgraded.

* NetBSD all releases:

        Check that you don't have kadmind in your /etc/inetd.conf.

        # grep kadmind /etc/inetd.conf

	If kadmind is enabled, disable it by commenting out its entry and
	reloading inetd:

	# /etc/rc.d/inetd reload

	Check that kadmind is not running as a service

	# ps axlwww | grep kadmind

	If kadmind is running, kill it:

	# kill <process id of kadmind>

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-Oct-22 should
	be upgraded to NetBSD-current dated 2002-Oct-22 or later.  The fix
	is included in crypto/dist/heimdal/kadmin/version4.c, revision 1.2.

	The following directory needs to be updated from the netbsd-current
	CVS branch (aka HEAD):
		crypto/dist/heimdal/kadmin

	To update from CVS, re-build, and re-install kadmind(8):
		# cd src
		# cvs update -d -P crypto/dist/heimdal
		# cd libexec/kadmind
		# make cleandir dependall
		# make install

* NetBSD 1.6:

	The following directory needs to be updated from the 
	netbsd-1-6 CVS branch:
		crypto/dist/heimdal/kadmin

	To update from CVS, re-build, and re-install kadmind(8):

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/heimdal/kadmin
		# cd libexec/kadmind
		# make cleandir dependall
		# make install

* NetBSD 1.5:

        The following directory needs to be updated from the
        netbsd-1-5 CVS branch:
                crypto/dist/heimdal/kadmin

        To update from CVS, re-build, and re-install kadmind(8):

                # cd src 
                # cvs update -d -P -r netbsd-1-5 crypto/dist/heimdal/kadmin
                # cd libexec/kadmind
                # make cleandir dependall 
                # make install

Thanks To
=========

Love Hoernquist-Astrand for the patch and notification and Johan Danielsson
for testing.


Revision History
================

	2002-Oct-21	Initial release

More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-026.txt,v 1.9 2002/10/21 20:34:06 groo Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPbRlij5Ru2/4N2IFAQGcgwQAn2bBxCdA6L0KhD5Pq0DzylaH8V5wHsq+
iguSkTTaj8cfIR/7Nz8LHUx16Sn9BzYM/YbGkHhp0NjasjIXxlL1ulriTly6Ynf1
SOLNqfHP4IlOITGvIYbFBV0EsIgQiRA4uW5jaQT15YJ/gWi8874wioHNWNRCuTm+
rmkN3qBFP04=
=2on8
-----END PGP SIGNATURE-----