-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-018 ================================= Topic: Multiple security isses with kfd daemon Version: NetBSD-current: source prior to September 10, 2002 NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: not affected Severity: remote buffer overrun, possibly resulting in root exploit Fixed: NetBSD-current: September 11, 2002 NetBSD-1.6 branch: not yet NetBSD-1.5 branch: September 11, 2002 Abstract ======== Kf and kfd are used to forward Kerberos credentials in a stand-alone fashion, and come from the Heimdal Kerberos implementation used by NetBSD. In Heimdal releases earlier than 0.5, these programs have multiple security issues, including possible buffer overruns. The kfd daemon has never been enabled by default in NetBSD; enabling it would have required a port name to be added to /etc/services. Technical Details ================= The client sent information about user and files without integrity protection, making it possible to overwrite any file the user had access to. The server also passed some of this data to other functions without checking that strings were zero terminated, possibly resulting in root exploit. All versions prior to Heimdal 0.5 are vulnerable. You can tell which version of kfd you have by running /usr/libexec/kfd --version. See also: http://www.pdc.kth.se/heimdal/ Solutions and Workarounds ========================= As this is not a vital service, and is very likely unused by most installations, the straightforward solution is to remove these programs. This has been done in NetBSD-current sources on September 11, 2002. Note that even after this time, systems may still have binaries left behind from earlier builds. Note that sources for the 1.6 release (and branch) still inlcude these programs. Therefore, a "make build" will re-install vulnerable binaries into /usr/bin/kf and /usr/libexec/kfd. As noted in the 1.6 LAST_MINUTE release notes, please remove them after each "make build". * NetBSD all releases: Check that you don't have kfd in your /etc/inetd.conf. % grep kfd /etc/inetd.conf Remove these programs: # rm /usr/bin/kf # rm /usr/libexec/kfd # rm /usr/share/man/cat1/kf.0 # rm /usr/share/man/cat8/kfd.0 # rm /usr/share/man/man1/kf.1 # rm /usr/share/man/man8/kfd.8 Thanks To ========= joda@pdc.kth.se (Johan Danielsson) Revision History ================ 2002-09-16 Initial release More Information ================ Advisories may be updated as new information comes to hand. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-018.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-018.txt,v 1.9 2002/09/16 22:59:39 dan Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPYZiaj5Ru2/4N2IFAQG3YQP6AxY5rsaUAgEIIQ3TVsLPbqplH4ARheS6 zvmwTOcoI4NnGVdvUL99FPf+hEJdHZyScEn9bRtEGgFUnbXCgovDu2G333/1S91Z w36jokou/av+WdxJ7fVSbFqrA62cFy1s9fpoWubZ14j3isPzz74qtPtGnOI19oGh WylKw/jKtps= =8Fkt -----END PGP SIGNATURE-----