2004-05-06: Kerberos 4 buffer overrun in Heimdal kadmin

All releases prior to 0.6.2 have a possible buffer overrun problem in the Kerberos 4 kadmin compatibility module. It would probably be possible to implement a remote exploit for this, depending on architechture.

0.6.2 fixes this problem, as well as making Kerberos 4 kadmin default off.

We suggest that you turn off Kerberos 4 kadmin, with the --no-kerberos4 option to kadmind. If you have a good reason to still use the Kerberos 4 kadmin protocol, you should still do this before an upgrade to 0.6.2.

To check for a vulnerable kadmind you have to check for version and also whether it was built with Kerberos 4 support at all:

$ /usr/heimdal/libexec/kadmind --version
kadmind (Heimdal 0.6.1)
Copyright 1999-2004 Kungliga Tekniska Hgskolan
Send bug-reports to heimdal-bugs@pdc.kth.se
$ /usr/heimdal/libexec/kadmind --help
Usage: kadmind [-dhv] [--config-file=file] [-c file] [--key-file=file] [-k file]
   [--keytab=keytab] [--realm=realm] [-r realm] [--check-library=library]
   [--check-function=function] [--debug] [--no-kerberos4] [--ports=port]
   [-p port] [--help] [--version] 
-c file, --config-file=file location of config file
-k file, --key-file=file    location of master key file
--keytab=keytab             what keytab to use
-r realm, --realm=realm     realm to use
--check-library=library     library to load password check function from
--check-function=function   password check function to load
-d, --debug                 enable debugging
--no-kerberos4              don't respond to kerberos 4 requests
-p port, --ports=port       ports to listen to

Binaries without Kerberos 4 support will not show the --no-kerberos4 option.

See also CAN-2004-0434.

Valid XHTML 1.0!