[2210] in Kerberos-V5-bugs
security hole in v4 and v5 login?
daemon@ATHENA.MIT.EDU (schemers@stanford.edu)
Mon Sep 9 15:17:35 1996
Date: Mon, 9 Sep 1996 12:17:18 -0700 (PDT)
From: schemers@stanford.edu
To: krb5-bugs@MIT.EDU
-----BEGIN PGP SIGNED MESSAGE-----
Hum. I was making some changes to our locally hacked up login
program, and stumbled across a possible race condition that exists
in the v4 and v5 login programs.
The v5 login program has a "chown" call after the
krb5_get_in_tkt_with_password call. Before the chown,
someone could unlink the ticket cache, and create a symlink to
/etc/passwd. After which, the chown would change the owner of the
password file, correct? It isn't that hard to guess what the name
of the cache file will be, and probably isn't that hard to slow
down the system enough to do the unlink/symlink create.
Here is the code:
code = krb5_get_in_tkt_with_password(kcontext, krb5_options,
0, NULL, 0 /*preauth*/,
pass,
ccache,
&my_creds, 0);
if (code) {
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
fprintf (stderr,
"%s: Kerberos password incorrect\n",
username);
else
com_err ("login", code,
"while getting initial credentials");
nuke_ccache:
krb5_cc_destroy (kcontext, ccache);
return 0;
} else {
/* get_name pulls out just the name not the
type */
strcpy(ccfile, krb5_cc_get_name(kcontext, ccache));
(void) chown(ccfile, pwd->pw_uid, pwd->pw_gid);
krbflag = got_v5_tickets = 1;
return 1;
}
One solution would be to open() the cache file, make sure it looks
like a valid cache file, and then use fchown.
roland
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBMjRtJ+a8xrbAUhaNAQFtIgP+PRFeGj90D7yT6R+09LJGbmX2anmChVUd
ldCMz4rtxPOk7av8bGyBtzGVlqinUgDVX6c4kY+3/0C8oAoDWSRYmmW4QngmXGdz
lUt/215HnamTPSIZYVAqUs7jqJev68qDAxnLHLz9SBTzSigw8zKN6Rhp3dK6XBdH
OPofmNl9TaA=
=DpH2
-----END PGP SIGNATURE-----
