[13729] in Athena Bugs
telnetd: fix for (slightly) known bug
daemon@ATHENA.MIT.EDU (Daniel G. Pouzzner)
Thu Aug 10 03:51:50 1995
Date: Thu, 10 Aug 1995 03:51:45 -0400
From: "Daniel G. Pouzzner" <douzzer@prez.mit.edu>
To: bugs@MIT.EDU
A bug has been discovered in Athena telnetd which allows a ticket
stolen from one machine to be used to gain access granted to that
principal from any other host.
Specifics:
This bug can be exploited when a service key has already been
generated by contacting the KDC from the initial site. Once the
service key has been added to the ticketfile, the ticket may be dumped
and recreated on another host. Any rcmd.* key in the ticket file will
be sufficient to gain entry to any host using Athena telnetd.
Cause: krb_rd_req() is not provided with the peername. It is thus
unable to discriminate between tickets with bogus addresses and
legitimate accesses. An architectural oversight in the telnet library
is responsible for this information being unavailable to krb_rd_req()
or its caller, kerberos4_is().
Solution:
in file telnetd/main.c:
before main(), insert:
struct sockaddr_in PeerName;
in main(), after the getpeername() call and related error handling
code, insert:
memcpy(&PeerName,from,fromlen);
in file libtelnet/kerberos.c:
after "#include <sys/types.h>", insert:
#include <netinet/in.h>
after "extern auth_debug_mode", insert:
extern struct sockaddr_in PeerName;
in function kerberos4_is(), replace
r = krb_rd_req(&auth, KRB_SERVICE_NAME,
instance, 0, &adat, "");
with
r = krb_rd_req(&auth, KRB_SERVICE_NAME,
instance, PeerName.sin_addr.S_un.S_addr,
&adat, "");
rebuild libtelnet and telnetd. job is done!
