Critical Kerberos Flaw Revealed

doi writes "ZD Net is carrying a story about '...a critical flaw that could allow hackers to circumvent the secure networking system...The problem lies with software in MIT Kerberos 5 called kadmind4 (Kerberos v4 compatibility administration daemon), which allows compatibility with older administrative clients. A buffer stack overflow allows an attacker to use a specially formed request to gain access to the KDC with the privileges of a user running kadmind4.' It affects all MIT-derived versions of Kerberos 4 and 5."

A distinction...

[Xenographic]

For a minute, I almost wondered if the actual cryptosystem had been broken, but then I realized that this is only the implementation of it. There's a *big* difference...

Fortunately, all we have to do is download a patch, which is much better than having to find something other than Diffie-Hellman key exchange... :]

Re:A distinction...

[dirvish]

Unfortunately, most sys admins will be oblivious to the problem and will not patch anything.

Re:A distinction...

[delta407]

For a minute, I almost wondered if the actual cryptosystem had been broken

My pulse actually shot up when I read the headline!

Breathe... breathe... it's just a buffer overflow... ...I'll be okay, just give me a few minutes.

Re:A distinction...

[grungeKid]

Admins (and environments) who use Kerberos tend to be just a bit more clueful than your average admins.

Re:A distinction...

[wandernotlost]

No kidding. "Critical Kerberos Flaw Revealed" is not exactly an appropriate headline for a fscking buffer overflow. Getting a bit sensational now, aren't we?

It's not a flaw in Kerberos, it's a bug in kadmind4.

Re:A distinction...

[psamuels]

"Critical Kerberos Flaw Revealed" is not exactly an appropriate headline for a fscking buffer overflow. Getting a bit sensational now, aren't we?

Hey, it worked - at least, it sure got me to read the blurb in a hurry. (While hyperventilating, but whatever.) Maybe they did it on purpose. At least the panic attack only lasted a couple sentences. If they'd made me actually read the article to find this out....

Re:A distinction...

[216pi]

Karma: can we please stop these karma word jokes, only about two of which were even funny the first time?

Who is this Karma guy anyway? And why is he bad?

Re:A distinction...

[pellaeon]

Thank you :-)

Re:A distinction...

[MoogMan]

"it's just a buffer overflow"

What, like the same as

"it's just a virus" or "it's just a DoS attack"

?

Re:A distinction...

[delta407]

"it's just a buffer overflow"

What, like the same as "it's just a virus" or "it's just a DoS attack"?

Yes, the same. All of which are better than "Kerberos is fundamentally flawed" -- the above can be fixed by changing software instead of inventing new algorithms.

Re:A distinction...

[MoogMan]

Fair enough, but the key word used was "Critical" rather than "fundamental".

Fundamentally flawed definitely not like you say, but critically problematic definitely - as are all buffer overflows on serious systems as this

it is only MIT Specific �

[norwoodites]

That means it does not hurt the opensource version of Kerberos V, heimdal because it does not support Kerberos IV which is supported by KTH.

Re:it is only MIT Specific �

[dolo666]

That is exactly what I was going to say.

Re:it is only MIT Specific �

And you know, I was going to mod you up for it too...

Re:it is only MIT Specific �

[KevinM]

Assuming your heimdal is built without kerberos4 compatibility. See: http://www.pdc.kth.se/heimdal/

Also, note that the vulnerability is not just theoretical.

Re:it is only MIT Specific �

[yak]

"That means it does not hurt the opensource version of Kerberos V,
heimdal because it does not support Kerberos IV which is supported by KTH.
Really about time to get a Mac."

Both the MIT and KTH implementations of Kerberos are open source.
The version that ships with MacOS is MIT Kerberos.

Re:it is only MIT Specific �

[norwoodites]

The MIT one is not opensourced because you cannot export it, there is some control on it.

Re:it is only MIT Specific �

[einhverfr]

The GPL does allow for export restrictions. So export restrictions due to legal advice on US law, IMO, does not preclude something from being open source.

I know people will disagree. But, then it would have been extremely hard to have open source cryptography until recently....

Re:it is only MIT Specific �

[yak]

The only export restriction is this:

Export of software employing encryption from the United States of
America may require a specific license from the United States
Government. It is the responsibility of any person or organization
contemplating export to obtain such a license before exporting.

Re:it is only MIT Specific �

see also www.crypto-publish.org

MIT restricts it because MIT's lawyers are wankers. If you want to deal with the regs, like crypto-publish did, and like debian did, you can make it available to the ungrateful wretches of the world...

Re:M$FT too?

Well, how does it affect the BSD implementation? There's your answer.

Bad News for Mutants

[SuperMario666]

Will nefarious hackers now be able track them throughout the world?

This is more on-topic

[cscx]

Here

Old news

This has been known for awhile. The OpenBSD errata contained a patch fixing the flaw in the 3.0 and 3.1 releases three days ago.

Re:Old news

So "a while" is 3 days now?

Re:Old news

[6169]

if a security hole came up that affected the integrity of your systems, would you want to know about it now, or say, three days from now?

Is this really pertinent?

[6169]

Though this seems to be an increasing trend, do we really need to see bug reports like this on Slashdot, even if they are security related? I can understand if the actual protocol was flawed, but this is just a bug in the admin daemon. If I wanted bug and patch information, I would go to bugtraq, or the OpenBSD security list, both of which covered this days ago.

Re:Is this really pertinent?

[carpe_noctem]

I completely agree. I say that people wait until the respective worm comes out for the said vulnerability, then post an article about that, where hundreds of /. comments will mock stupid people for not patching their systems. =)

Re:Is this really pertinent?

[tswinzig]

dude, slow news day

Re:Is this really pertinent?

If you don't like the article, then skip it. Stop posting shit like this, thereby increasing the signal to noise ratio. No one ever claimed that every slashdot article is going to interest everyone. This one is aimed at the more technical crowd, and gives people a chance to talk about kerberos.

-- gid0ze

Re:Is this really pertinent?

you mean "decreasing" signal to noise ratio :-)

Re:Is this really pertinent?

This is pertinent. Just because you don't understand Kerberos doesn't mean it's not used in many different situations. It serves a great purpose, and I'd ganter an expliot relating to Kerberos is probably pretty disheartening to all the admins out there that rely on it (and have for years).

Re:Is this really pertinent?

Your "uniqueness" argument for /. is quite
compelling. Is it your proposal that only
original material be posted to /.? Or what
is the criteria for posting notices about
other news events covered on other servers?

Without answers to these questions, your
uniqueness argument for /. is a bit light.
But with refinement, we can come up with
yet another jeremiad for /....

BTW, I don't know if I've mentioned this:
you're a fucking idiot. FYI.

As for security issues, what, exactly, is
preventing you from setting your selections
to not see these stories?

Re:Is this really pertinent?

[fdisk3hs]

Some of us are busy and when we stop to check our tech news sites and email, it would be nice if they would tell us if the 'doomsday bug' is running around, or if Tokyo just fell...

Redundancy is the key, don't you know ANYTHING?

lr

Re:Is this really pertinent?

[DrFrasierCrane]

I dunno, is it that pertinent to post whatever the latest MS bug is, followed by the inevitable posts by *nix lovers who wish can point to "yet another" MS problem?

Re:Is this really pertinent?

To the mod that moderated this as offtopic, I'm meta-modding, and I have modded you as unfair. This lessens the chance that you will get to moderate in the future. This post is on-topic, as current moderation indicates, because the topic is software bugs, and this post is talking about software bugs. Please learn to read either the post context or the moderator guidelines.

The Anonymous MetaMod

Re:Question

[cscx]

Kerberos explanation up in he'a!

No worries...

[Bush_man10]

Why worry about it? They already have a patch so I don't think it's a big deal. If your a administrator who doesn't keep up with bugtraq or other mailing lists then your just asking for trouble. Just hope no one already exploited this hole on your system :)

Re:No worries...

Gee, you are so forgiving! If only all of /. were that way. That is in fact the sane and rational response to holes in ANY OS. Unfortunately that is never the response given to MS in any similar situation.

The word for that is "hypocrisy" and it is one of the lowest forms of human behavior, right down there with lying, cheating and stealing.

I'll positively keel over and die if /. ever showes any kind of rational thought or reaction twards Linux or Windows.

Guess I was wrong...

[domninus.DDR]

And I had faith in MIT since they taught Time Cube..

Re:Guess I was wrong...

[groove10]

What the hell was that about... Timecube? Anyone want to fill me in on this thing? I started to read it but it really hurt my eyes to see text that big.

Re:Guess I was wrong...

the time cube guy just seems to be a famous net.lunatic. i've tried to make sense of time cube several times, but i was EDUCATED STUPID. in fact, i'm so STUPID AND EVIL I DO NOT EVEN KNOW I AM STUPID AND EVIL. THERE IS NO DAMN WORD GOD.

Re:Guess I was wrong...

[einhverfr]

YES AND THERE ARE 4 24 HOUR DAYS WITH EATH EARTH ROTATION!

Hmmm.... Call me silly,. stupid, and evil, but.... Why 4? Why not soething more tangable like 24 (1 for each general time-zone, discounting exception), or better yet, how about an infinite number of great circles passing through the poles creating an infinte number of longitude lines... Wait-- that is critical to Astrology. It must be STUPID AND EVIL even though it is true mathematically.

Re:Guess I was wrong...

one could also ask why he refers to a 4-sided figure as a "cube", but i bet we could think of a lot of questions before we ran out.

for what it's worth, a notorious MIT prankster set up the Time Cube lecture. the entire point was to get a good laugh listening to some seriously spurious physics.

Re:Question

[Raven42rac]

why does kerberos just seem kinda worthless?

Kerberos Authentication

[chickenmonger]

As a user on a network that uses Kerberos authentication, it's good to know about these security flaws. That way, we can email the admin to find out if we should unplug our CAT5. :-)

Re:Kerberos Authentication

[Bobulusman]

Amen to this. I just finished e-mailing my admin. Seriously. :)

Re:Kerberos Authentication

[orcaaa]

Well, if you are interested in knowing about security related bugs then go to bugtraq or something like that. No offense intended, but /. is not a forum for bug reports in security/software systems. Besides, you can (always) trust your admin to take the correct action for seeing to the security of the system ;-).

Re:Kerberos Authentication

[Conare]

No offense intended, but /. is not a forum for bug reports in security/software systems
So are you saying that brand new, and critical information about a widely used software system does not qualify as "News for Nerds?" Hmmmm.

What would really be appreciated

..on stories like this is if you'd just put some short thing telling how to determine if you are affected by the security hole.

like, just say "if you type /sbin/sshd --version and it says your version is 2.23 or lower, you're affected".

A lot of the time it's kind of hard to remember which version exactly you have, and much UNIX software offers no quick, clear way to tell what version you have installed. Hell, i don't even know if i have kerberos. I know i've never consiously used kerberos. But for all i know my linux distribution installed kerberos as part of another package. Now i, and a bunch of other people, are going to be poking around manpages and wierd directories for awhile trying to figure out, uhh, do we have kerberos, what version/brand, do we need to disable or patch anything.. this is not the hardest thing in the world, but it isn't exactly easy when you consider it's 11:12 PM and at my college, we start drinking on thursday night. I'm not exactly in the mood to think logically at this exact moment.

So, a quick 'heads up, here's the quick way to tell if you're affected' on the part of the slashdotty people at the end of these story blurbs would be much appreciated :)

Re:What would really be appreciated

[frankie_guasch]

and much UNIX software offers no quick, clear way to tell what version you have installed

Most of the software will return the version with the --version option.

I know i've never consiously used kerberos. But for all i know my linux distribution installed kerberos as part of another package

Your linux distribution installs only the library of kerberos, that is not affected.

Re:What would really be appreciated

Most of the software will return the version with the --version option

Or -version.. or -v.. or something else.. figuring these things out when you're tired is not fun :) you have to understand that what i have is not a serious complaint, but simply sleepy bitching and whining. :)

Your linux distribution installs only the library of kerberos, that is not affected

Thank you very much! :)

Re:What would really be appreciated

[theLOUDroom]

Suck it up man. I just got home from dirning. I couldn't draw a straight line if you paid me but i'm still readin slastdot
party on woo!

Re:What would really be appreciated

(not to seem snarky, honest) if you don't know what you have on a machine, it should not be public-accessible. period. end of sentence.

Now that we have that out of the way, sometimes the simplest ways to determine if a given pkg is installed is to use the GNU locate program (included in most free unixen now by default) to say something like locate kadmind4... most security advisories will mention the name of the binary affected somewhere so a simple locate will tell you if it's on your machine. then the other poster's suggestions of -v / -version / --version / -h come into play... Also, apropos foo will search the man pages for keywords, handy if you don't know the exact names to look for (e.g. doing a apropos kerberos to see what manpages mention it... this will also sometimes give you the existence / version info but is not as reliable as the methods above (man pages are not always installed [correctly] or up to date))

Re:What would really be appreciated

[Permission+Denied]

Hell, i don't even know if i have kerberos.

Then you're not affected.

This is a bug in the Kerberos admin daemon, which only runs on KDCs, which are centralized Kerberos servers. Clients are not affected. Furthermore, it only affects KDCs that have enabled version 4 backwards-compatibility.

If you don't know what Kerberos is, you don't have to patch your system. Only people that run KDCs have to patch their systems. I've never seen Kerberos installed with less than a few thousand users, so you would probably know if you're the admin of a KDC.

Re:What would really be appreciated

[HiThere]

Yes, that's the kind of information he was asking for. And he's quite right:
Every article on a security flaw should include a quick test on how to determine whether or not you are affected.

If I had mod points right now, he would have gone up. I would probably even have experimented to see if I could mod the same comment more than once. He should be at "+6 insightful: Editors please note!"

Re:What would really be appreciated

[StormReaver]

"A lot of the time it's kind of hard to remember which version exactly you have, and much UNIX software offers no quick, clear way to tell what version you have installed."

If you're running an RPM based system, "rpm -qa | grep kerb" is a quick way to determine if you've installed Kerberos. This works for any other RPM you've installed.

Backwards Compatibility?

[The+Rolling+Blackout]

Doesn't this illustrate a backwards compatibility problem with secure systems everywhere? As such, buffer overflows that affected any previous system could conceivably affect any & all backwards-compatible systems made after the fact, should such software be afforded the necessary privileges (esp. remote management tools).

(I'm not posting this in an attempt to prove I know anything, I just think a clearly worded reply might benefit a few folks, e.g. me)

Critical Flaw??

Whoa, reading this title I thought maybe it was an actual flaw in the protocol! But it's just a buffer overflow. At least ZDNet put "critical" in quotes.

So all I have to do is update the software and I'm good to go. Just like any other buffer overflow.

Actually I don't use Kerberos at all, so it really doesn't matter. But the title really caught my attention..

Re:Critical Flaw??

[blancolioni]

So all I have to do is update the software and I'm good to go. Just like any other buffer overflow.

When are we going to switch to languages that don't have buffer overflow problems? Solutions have been around for years. It stuns me that buffer overflow is still an avenue of attack.

Re:Critical Flaw??

[msheppard]

Yeah, I read it as a flaw in the protocol too, which really suprised me as I did a presentation on kerberos for a grad level netowkring class, so for a breif time at least I completely understood it, and couldn't imagine how it could be flawed.

M@

Re:Critical Flaw??

[blancolioni]

Look, I know you're a troll, and you're probably pretty stupid, and maybe you've never written a line of code in your life, but it might be interesting to point out why you're wrong anyway.

If the language you're using does not automatically check array indices, then you have to do it yourself. The Kerberos implementation flaw proves it. So you pay for bounds checking anyway, and chances are, the compiler constructed check will be faster than the one you wrote.

Furthermore, with the right language a compiler can omit most of the checks because it can easily prove that the value will always be in range.

The idea that bounds checking = slow is just so 60s.

Re:Critical Flaw??

[aridhol]

If the language you're using does not automatically check array indices, then you have to do it yourself.

OK, consider a language where every array access is validated. You loop through an array. As a programmer, you know you only have to check the array length once, at the beginning of the loop. The runtime doesn't know this, and thus checks the bounds every time through.

Now, you say, this can easily be done in the compiler. However, what if someone decides to write the bytecode themselves. This could allow a buffer overflow in a Java virtual machine, for example. So Java checks array bounds on every access, so that a rogue applet can't gain elevated privs. Plus for security, minus for efficiency.

Re:Critical Flaw??

[Hard_Code]

Look, you don't even need to go so far as mandating bounds checking. The mere presence of an associated length with all strings or arrays would itself be a tremendous win! What is that, like FOUR fscking bytes per array? So what? Four extra bytes is a very small price to pay for actually knowing the length of something you are working on! Sheesh.

Re:Critical Flaw??

[blancolioni]

OK, consider a language where every array access is validated. You loop through an array. As a programmer, you know you only have to check the array length once, at the beginning of the loop. The runtime doesn't know this, and thus checks the bounds every time through.

You seem to be thinking in C++ ... yes, the C++ checked array classes are ridiculously slow, because every reference is checked. Here's the Ada equivalent to looping through an array:

for I in Array_Variable'Range loop
-- do stuff with Array_Variable (I)
end loop;

No bounds check required, because the compiler knows that I is always in range.

Furthermore, the ability to restrict variable ranges removes a whole bunch of other bounds checks. You'd be surprised at how little is actually required.

It's also much harder to have buffer overflows with extra-long input; in general, an exception will be raised (in this case by the run time), which, if uncaught, terminates the process. No security risk.

Language design has come a long way since the 1970s. You'd be doing yourself a favour to see what else is out there, even if you never program in anything other than C.

Re:Question

[c13v3rm0nk3y]

What the flaming fuck does kerberos do anyway?

Kerberos makes it really difficult to do any work at MIT. It's a software product designed by faculty to slow up research projects by students.

The reasons for this are twofold: ensure longer paths to tenure, and keep smart students from publishing too quickly and making their profs look bad.

is this for real

[carpe_noctem]

Hrm....I haven't noticed anything about this on Bugtraq or Full-Disclosure, and you'd think that something this big would be all over those lists about two or three days before it got posted here. I'll believe this when I see a proof-of-concept.

Re:is this for real

[benwb]

I've been here a long time, and that is the most brilliant sig I've ever seen.

Re:is this for real

[Col.+Klink+(retired)]

Debian already released a patch (on Oct 17). Here is the Debian Security Advisory.

Re:is this for real

Idiot, it's been on bugtraq for days now... http://online.securityfocus.com/archive/1/296819.. .

and the netbsd security advisory was a day earlier then that, even...

Re:Question

[carpe_noctem]

In all seriousness, Kerberos is basically a really cool idea for a distributed system of authorization. My college uses it (in combination with OpenAFS) for pretty much all campus-wide services. The idea is pretty straight forward: when you authenticate to the network, you don't want to have to type in your password once to get email, again to get into your home directories, again to get into protected webspaces, and so forth. One password should let you into everything. Likewise, you should be able to just change your password once, and have this change propagate to all the appropriate servers that you want to authenticate to.

That being said, here's kerberos in a nutshell. You log on to the network, and authenticate with the main kerberos server. This server grants you a "ticket", which you just pass to the machines you want access to. After so long, your tickets expire and you'll need to re-authenticate. (It would be bad if you left your desk for work, and evil joe cracker stole your ticket during the night and read your email and so forth). There's really a lot more to kerberos then that, but the basic idea is that you authenticate to one machine, then use that machine to authenticate to any other machine on the network. It's a rather nice way of doing things, but it is pretty much overkill for anything less than a network of at least 100 users.

Re:Question

[cscx]

I think it's their whole slipshot, aging, still early 90s era Athena computing system that keeps you from doing any real productive work.

Re:Question

It guards hades... oh, wait, you mean the *other* Kerberos...

Important considerations!

[the_other_one]

Is this just a warning of a potential hole.

Or has somebody actually made an exploit.

Does anybody know of a warez site from which I can get the security patch for free.

Re:Important considerations!

[oh]

Read the article.

• There exists at least one exploit "in the wild"
  
• The article links to a page with a source patch
  

a first in the security world

[carpe_noctem]

Well, Microsoft is currently working on their own implementation of Kerberos, Microsoft Kerberos. I've seen about a half-dozen root exploits for MIT kerberos, but none yet for MS kerb. I guess this is really a first for the boys in blue. ;]

Re:a first in the security world

[fw3]

MSFT doesn't provide any of the krb4 implementation so this and other krb4 problems won't be an issue.

Krb5 was recently found to have a flaw in the xdr_array function, the last kerberos bug I know of before that was the kerberized telnet daemon -- same bug that was in standard telnetd, the 'ayt' sequence I think. Again, no telnet, no flaw.

Those are the only two flaws I can think of in krb5 in the past 3 years, but yes there were more in the krb4 implementation.

Re:a first in the security world

[mrseigen]

I haven't seen anyone using it yet. Possibly the reason why it hasn't been exploited is because nobody's going to use it? ;)

Re:Question

[Waffle+Iron]

What the flaming fuck does kerberos do anyway?

Kerberos is a three-headed dog that guards the gates of hell. A flaw in Kerberos is a serious situation because if it fails, all hell could break loose.

Nawww....

[WetCat]

Stack overflow, stack overflow... Better create an architecture and/or compiler where is NO stack at all! Be much more secure then.

---
How is everybody spent todays' slashdot meetup?

Re:Nawww....

[octogen]

I'd recommend having a separate data stacks and address stacks, or some kind of hardware-supported pointer protection (for example, IBM's AS/400s have hardware pointer protection for certain kinds of pointers, therefore you can't fake these pointers by overwriting them with data)

Re:Nawww....

[WetCat]

But could you imagine a compiler that makes stack-less code for x86? For "C" language.

Re:Nawww....

[nelsonen]

It's called Burroughs/Unisys MCP Stack Architecture. :-) Been around since the mid 60s. Bounds checking down to the array level, hardware enforced, with hardware enforced data/code seperation.

http://public.support.unisys.com/aseries/docs/ha rd ware/70205547-001.pdf is the current architecture document.

patch available

[fat32]

The patch is available here.

...and when you stop laughing...

[km790816]

From our friends at MIT: Kerberos: The Network Authentication Protocol

So.... don't run kadmind4?

[Benley]

So basically, all you have to do to avoid the vulnerability is just not run kadmind4, correct? I certainly can't speak for other KDC admins, but I haven't had much of a use for krb4 compatibility for a long time now - I disabled it at LEAST a year ago. Are there still many systems and/or applications that don't support Kerberos5? In any event, yay for me, my KDCs are unaffected!

Re:So.... don't run kadmind4?

[Martin+Blank]

Kudos to you for disabling unused services, but just because something is disabled doesn't necessarily mean you don't need to patch it. Suppose it does need to be enabled, perhaps a year from now, for some temporary purpose, and this vulnerability doesn't cross your mind at the time. Or maybe you won't even be there, and your replacement finds some reason to re-enable it. Whatever the case, finding a reason to not patch it is not a good practice in my mind.

You may sleep easier tonight than some other people, and you may not be racing to log in and patch it like some other admins are, but come the morning you probably should be planning on patching it. But I'm sure that's already on your schedule. :) Of course, if it's not even installed in the first place, then I guess you don't have to worry about it in the first place.

Re:So.... don't run kadmind4?

[einhverfr]

On my network we have a process for this--

1-- all unusdes services are disabled
2-- Of course acive services are always patched.
NOTE-- we do not assume that backwards-compatible components to be necessarily patched unless active and maintained by IT.

3-- If we need a backwards compatible patch, we usually upgrade the entire package (testing first, naturally).

4: We keep a database of all vulnerabilities found about our software and how they were resolved. This enables us to query what vulnerabilities are found on inactive services and what computers could be affected.

Look-- the point is plan. There are many ways of doing things, but the point is to have a plan and be thinking about things. Security is more a way of live than a set of precautions.

nah

Buffer overflows are wholly in implementation, never in specification.

I mean, they exist only within the program that they effect. All that a buffer overflow is is that someone was writing a program, and they put in some place that they read a value from one place and put it in another-- say, they have a web server, and they recieve some data from the client requesting a web page. And let's say that when they accept this data, they're going to put it into a little memory space that can hold 2000 bytes. A buffer overflow would be what would happen if the web client sent more than 2000 bytes of data, maybe 3000 bytes, and the program stupidly attempted to fit all 3000 bytes into that 2000 byte space. What you get is a buffer overflow; quite literally, that 2000-byte buffer "overflows", spilling an extra 1000 bytes of data into memory. The problem is that those 1000 bytes of memory it overwrites could quite possibly contain very important things. So if you exploit a buffer overflow by accident, say by sending a server more information than it can handle, you'll probably get a crash. But if you know a bit about the way that the program with the buffer overflow bug works, you can do some kind of clever things-- for example, you could send 3000 bytes, but very carefully sculpt those last 1000 bytes so that the program keeps running, doesn't crash, but suddenly has a bunch of your information in its memory. Do this right (hulk smash stack! smash!), and you can
literally send a very small program into the memory of the server and trick the server into running this program.

Now, this is a programming error; you can't build a buffer overflow into a protocol. Why? Because it's just a programming error. In our example above, the programmer of the web server made the mistake of not taking steps to prevent a buffer overflow. And preventing a buffer overflow is *easy*; you just make sure that whenever you copy data from one place to another, that you never put into a single memory space more data than it can hold. Like, you're writing that web server, and you have a network socket through which the client is sending you a request? Use fgets(SOCKET, space, 2000); instead of gets(SOCKET, space); (i think that's the right syntax). fgets() is a special version of gets(), with the special condition that you can give it a number of bytes and say "if the data coming in from this filehandle is more than this number of bytes, i don't want you to give me the rest". So fgets() will just read in 2000 characters and then stop, preventing a buffer overflow. It's that simple, you just carefully pick the ways in which you copy memory. the problem is that C is hard and people are lazy and people keep doing things like using gets() and lazily coding their fscanf() statements.

Now, there is one sort-of-exception to my "you can't code a buffer overflow into a protocol" rule: AOL actually did! That is to say, at one point AOL was trying to figure out how to lock Jabber and MSN users out of using the OSCAR protocol to access AOL instant messenger. (Third party clients are supposed to use TOC instead.) So AOL looked at their program and realized, hey, we accidentally put this buffer overflow in this one place in our AIM client, and neither MSN or jabber have that overflow. So (and they may have undone this change since then, i don't know, it was a wierd month) they changed the OSCAR protocol to the point where you literally can't connect to AOL instant messenger without that buffer overflow there! Becuase the OSCAR server would buffer-overflow-attack the AIM client, and send it code where, if the overflow was successful, the AIM client would send back a specific packet. If the OSCAR server didn't get this packet, it would disconnect you. Creepy, huh? Now, this wasn't very unsafe, becuase the way that the client was set up the only way that the buffer overflow could be exploited was by data recieved from AOL's computers.. but, then, it was also pretty stupid, becuase the buffer overflow was still exploitable by someone doing a man-in-the-middle attack and impersonating AOL's servers!

But, uh, yeah, that story doesn't have anything to do with backward-compatibility. kerberos didn't have to have the buffer overflow to bebackward compatible, that just isn't the way protocols work. i am guessing the overflow cropped up in backward-compatibility code because one, backward-compatibility code is usually really, really nasty and hard to debug, and two, it's possible that the backward-compatibility code in v5 could have been largely copied out of v4, and the code with the buffer overflow copied along with it.

That answer your question any?

Yeah. You see? you see all this typing above?? this is the extents i will go to to find some distraction so that i don't actually have to do my homework. God, remind me never to go to grad school, i'd never get my thesis even started.

--super ugly ultraman

Re:nah

[Anonymous+DWord]

If you did your thesis on buffer overflows, you'd be halfway done already.

Re:nah

[AsparagusChallenge]

There is something else that I would like to know. Since a buffer overflow attack overwrites with data memory addresses filled with instructions, why not designing an operative system that isolates the executable memory from the data memory?

Make it with two levels of access; there should be memory that can be writen to by the programmer and memory that can hold executable instructions, and keep them shielded from each other at the OS level.

I'm not an OS designer; what complications would this carry? Would it protect from the current exploits?

Re:nah

[hfastedge]

and hence the motivation for high level languages that do memory managament for you. http://www.twistedmatrix.com/services/twisted-adva ntage

Re:nah

[psamuels]

There is something else that I would like to know. Since a buffer overflow attack overwrites with data memory addresses filled with instructions, why not designing an operative system that isolates the executable memory from the data memory?

This is theoretically a good idea - and in fact it has been done as a Linux patch, more than once. Google for "solar designer" linux non-executable stack. There are a couple of problems:

• Some code needs to be able to write a stream of instructions that it will then jump to. This is called a "trampoline" and can accomplish tricks which are otherwise difficult to do within the confines of a compiled language. I think GCC emits trampolines for certain C++ constructs on certain architectures, but I seem to remember there was some noise made awhile back about migrating to other methods so as to work with non-exec stacks.

  Just-in-time (JIT) compilers for languages such as LISP and Java have to be able to write executable code at runtime, though it's not really called a trampoline in that case.

• It is possible to exploit a buffer overflow without actually executing code directly. Hard to explain, but the gist is that you overwrite bits of the stack which represent the function return address, so that the function "returns" to somewhere other than where it came from - say for example into the C library's system() function. Craft the rest of your overflow properly and you can dictate the arguments to said function - say system("/bin/sh").

  I believe it has been demonstrated that any buffer overflow which can be exploited to execute code directly can also be exploited to execute code via the indirect method outlined above. At least on certain architectures. RTFG.

  So, if Linus (for example) were to incorporate Solar Designer's non-exec stack patch into the Linux kernel, the exploit writers of the world would spend a week or so re-learning how to build buffer exploits to use nonexecutable means.

This is the main reason people oppose the non-executable stack patches. If widely used, we would in the long run be no better off than before. The added complexity in the Linux kernel would buy nothing. Naturally, those who have to battle kernel complexity generally oppose it. But - note that as long as only a few people use Solar's patch, they are better off, because the exploit writers do not focus on them. (Same reason there are more viruses for Windows than for MacOS 9, which had little significant virus resistance.)

Ahem. I also feel compelled to mention (since someone else will if I don't) that in combination with other techniques, such as relinking libraries with random load addresses on each machine, the non-exec stack patch may actually be effective. I am nowhere near enough of an expert to say for sure. (Jakub Jelinek's ELF prelinker sounds rather interesting in that context....) Also, architectures (like the HP PA-RISC) whose stacks grow upward instead of downward are probably resistant to most common buffer overflow techniques, but again I don't have the skillz to say whether such techniques could be adapted.

Re:nah

[Monkelectric]

Almost all OS's do that but for another reason entirely -- if you know what memory is code and what memory is data then when you need to start clearing memory by writing it to the pagefile, you can just throw away the executable data and re-read it from the binary if its needed. This is why you can't modify/move an EXE (to borrow a windows term) while it is running.

When you make a function call, the last thing that goes on the stack (think of the stack as scratch space for a running program) should be the address to return to after that function is done ... so you overwrite *that* address to execute additional instructions you've placed on the stack.

The fix is to design the CPU so it refuses to run code in an area designated as stack space, pretty much what you've said but most CPU's differentiate between code and data only (because code has different cacheing rules then data). I'm pretty sure sun/sparcs can keep track of stack space as well if you supply some weird option in the bios. I would imagine other cpus are capable of this as well.

Re:nah

[kiolbasa]

Since a buffer overflow attack overwrites with data memory addresses filled with instructions, why not designing an operative system that isolates the executable memory from the data memory?

The x86 is what we call a Von Neumann (maybe not spelled that way) architecture machine, meaning memory is memory and you can put whatever you want there. A Harvard architecure machine separates program and data memory. There are tradeoffs and advantages to each architecture.

The operating system you suggest running on a Von Neumann machine would essentially emulate a Harvard machine on hardware not designed to do that. To avoid buffer overflows, just use a Harvard machine with an OS designed for it. But you lose the advantages of a Von Neumann machine, like self-modifying code, simpler executable formats, simpler memory management.

In simple terms, all your questions could be answered with "It's a hardware thing."

Re:nah

[davidstrauss]

The fix is to design the CPU so it refuses to run code in an area designated as stack space...

Not to say the argument isn't entirely valid, but Microsoft uses this as an argument for Pallidium and "trusted" code. Be cafeful about asking for restrictions on how code can run on a user's computer.

Re:nah

[einhverfr]

Buffer overflows are wholly in implementation, never in specification... Now, there is one sort-of-exception to my "you can't code a buffer overflow into a protocol" rule: AOL actually did!

You just gave me an idea-- Secure Client Authentication Protocol. Will file for RFC status on April 1, 2003!

Re:nah

[psamuels]

I'm pretty sure sun/sparcs can keep track of stack space as well if you supply some weird option in the bios. I would imagine other cpus are capable of this as well.

If I'm not mistaken, the SPARC doesn't even have a stack. The stack is emulated entirely in software - "push X" becomes something like "store to address [reg1+reg2], then decrement reg2 by sizeof(X)" - where reg1 and reg2 are two registers handed down from on high by the ABI spec.

Matter of fact, as I recall, the PowerPC doesn't have a stack either. (I just skimmed certain sections of my Green Book (IBM, The PPC Arch) and didn't find anything, but then again IBM have really odd conventions for their mnemonics so I could easily have missed it.) Traditional RISC instruction sets [is that redundant?] tend to have such rich register indexing semantics that emulating a stack in software is trivial.

Re:nah

[Sneftel]

Actually, I think of this as the Good Thing part of Palladium; security is more effectively built into the CPU. The problems arise when Microsoft decides that "trusted" is actually shorthand for "trusted by Microsoft".

Re:nah

[Monkelectric]

hehe your activism is poorly used here. Memory protection is a critical OS concept and has been built into every intel cpu since the 386. The only mechanism needed to keep the CPU from running code on the stack is a list of stack areas :) The same concept keeps programs from accessing other programs memory space in modern OS's (linux, NT/XP, BSD etc). The problem is it protects a program from being overwritten by other programs, not itself :D

Re:nah

[Monkelectric]

I dont know sparc asm (if thats what they call it even), so I cant comment on the presence or absense of stack instructions. However, thats really a non-issue because no matter how the stack is implemented the stack still exists :) Heres directions how to enable stack-protection on solaris 2.6 :D http://ist.uwaterloo.ca/security/howto/1999-06-22. html

Re:nah

[psamuels]

I cant comment on the presence or absense of stack instructions. However, thats really a non-issue because no matter how the stack is implemented the stack still exists :)

Ah, ok - and thanks for the link. I was responding to your thought that it was a BIOS setting, which turns out not to be the case. If it were indeed a BIOS setting, it would have to depend on any SPARC OS reading this setting and making the change explicitly. Not likely, since it's easier to configure the OS in other ways (in this case, a variable in /etc/system if you run Solaris, or sorry-out-of-luck if you run Linux).

Re:nah

The operating system you suggest running on a Von Neumann machine would essentially emulate a Harvard machine on hardware not designed to do that.

You can do this very easily with the x86 segmentation mechanism: Have a 2GB code segment that is executeable but not read/writeable and a 2GB data segment that is read/writeable but not executeable.

Re:nah

[Monkelectric]

The openbios on sparcs is pretty tightly integrated with the OS I thought it was in there:)

Re:nah

It's worth noting that while JIT compilers need to be able to write code at runtime, languages like Lisp and Java are usually immune to buffer overflows, since they use BOUNDS CHECKING, DAMMIT.

For 20+ years, buffer overflows have been the staple of security bugs. Why, Why, WHY do programmers STILL make the SAME DAMN MISTAKES. (well, I know why: C is "portable assembler" - far too low-level for most of the tasks its used for...)

Re:nah

[master_p]

Why is this relative on 80x86 ? as far as I know, each ring has its own version of the SP register, and the stack data are implicitely stored in the segment defined by the SS selector.

I don't know how the Linux kernel works, but this is a problem only if CS = SS. If such is the case, then a patch that makes SS a different memory space would be sufficient to catch any stack problems.

The same goes for the data segment (DS). Since the data received from the network are stored in a buffer, this buffer is located within the segment described by DS. If DS != CS, then there would be no problem.

Yet another trick with 80x86 is to make data and stack segments non-executable. This would solve any problem of malicious code residing in the data buffers.

Now that I think of it, one of the problems is usage of 80x86 in totally flat mode, that is CS = DS = SS = ES = FS = GS. If there was proper segmentation, there would be no such problem like attacks from buffer overflows, because it would be impossible at the CPU level to execute code within data.

Re:nah

[psamuels]

as far as I know, each ring has its own version of the SP register, and the stack data are implicitely stored in the segment defined by the SS selector.

OK, but we're talking ring 3 only - these overflows are happening in pure user code.

I don't know how the Linux kernel works, but this is a problem only if CS = SS. If such is the case, then a patch that makes SS a different memory space would be sufficient to catch any stack problems.

Linux basically refuses to do segments - so segment registers are all equal (oh, except there's one - is it GS? - used for thread-local storage, but only since about 2-3 months ago). One big headache with separate segments for text, data and stack is C pointers, specifically void*. void*, you see, has to be a superset of all other pointers - code pointers or data pointers. So if you can't count on CS==DS, a void* must include the segment register, making it larger than 32 bits. Certain other pointers may need to include segment information, too - in fact, if SS != DS, or if either SS or DS were expected to be changed within the program, then just about all pointers would have to.

MS-DOS did this, although of course that was 16/20-bit real-mode 8086, not protected-mode 386. You could compile with about five different "memory models", which made different assumptions about segment layout. There were keywords FAR and NEAR to override the default for your memory model when declaring functions and globals, and woe to him who used them inconsistently. And if you used a precompiled library, its header files had better have the correct NEAR and FAR sprinkled throughout, in case it was compiled with a different memory model than what you are using.

...So are you seriously suggesting Linux adopt that sorry mess? No thanks. (: One segment to rule them all is just fine with me.

If there was proper segmentation, there would be no such problem like attacks from buffer overflows, because it would be impossible at the CPU level to execute code within data.

Totally flat mode was the best thing to happen to x86 processors since the built-in math coprocessor. (Oh, wait, protected mode came first, wasn't it? Oh well.) Segments are just too evil to program for.

If you really want to make C safe from buffer overflows, it is actually quite simple, conceptually: add runtime memory region checking. I used to think this impossible in C, but it's actually not that hard. All you have to do is turn every pointer into a (pointer,start,end) or (start,offset,maxoffset) tuple, and pass them around that way. Things like malloc() would be the only functions that dig in and change the (start,end) bits. Every time a pointer was passed to or from a function call, the boilerplate that builds the stack frame would perform bounds checking, as would all pointer arithmetic.

There's at least one gcc patch out there that does this, or something like it. A few problems with this approach: (a) that you are defining a new ABI, so you can't use any library code without recompiling it; (b) by making pointers longer than 32 bits, you lose a lot of space and speed efficiency; and (c) with 64- or 96-bit pointers, many programs will break because they assume a pointer will fit in, say, a 'long int'.

Re:nah

The beauty of something like C is that you can use it to build a better environment that actually checks. So you have snprintf, strlcat, and so on.

The trick is identifying the old evil functions and then castrating anyone who even THINKS about using them. Having the compiler warn about stuff like gets() and mktemp() is a good start, but it needs to be taken to the next level. Complaining about plain sprintf, strcat, and strcpy would help a lot.

Obviously you can still get into trouble if you screw around and do stupid things with dynamically allocated memory, but the string-related overflows should be a thing of the past.

Re:nah

[Permission+Denied]

The fix is to design the CPU so it refuses to run code in an area designated as stack space

Modern CPUs do this. You can specify whether certain pages are executable or not, so you just set a couple of different bits in page table entries for pages allocated for stack to make the stack non-executable. The kernel will always know what pages are allocated for a program's stack because the kernel allocates the initial stack and sets the stack pointer, and the way a program's stack grows is by accessing an address lower than what is available, which generates a page fault, which in turn lets the kernel know that the program needs more stack space. Somewhere in the kernel there's some heuristic for determining whether or not a page fault is due to the stack growing. (eg, what happens if you just access memory right in between the stack and top of heap? Try it on your favorite Unix, then try incrementing that address until it no longer segfaults.)

The short of it is that modern CPUs do not require any additional hardware support to make the stack non-executable.

I'm pretty sure sun/sparcs can keep track of stack space as well if you supply some weird option in the bios

Sparcs don't have a BIOS. It's called Open Firmware, and it's completely different from a PC BIOS (for one thing, Open Firmware implements a real programming language in ROM).

Re:nah

[master_p]

There is another trick to do with no run-time checks from the software: the eXecutable page bit in the page descriptor(I don't remember - is there such a bit ? I think that it is).

Data should reside in non-executable pages only. Code should reside in executable pages.

Data pages should be marked from code pages by a dead (non-existent) page before and after the data region.

By this way, if the programmer writes data in an executable page, the CPU will issue a general protection fault.

By the way, segmentation is not bad. There is no problem in the C language: if the void pointer (void*) is used to access data, then the 80x86 CPU will implicitely use the DS segment register. If the void pointer is used to access a function, then it will implicitely use the CS register. There is no need to store the segment along with the address. For example: /* integer */
int i; /* function */
void foo()
{
} /* pointer */
void *p; /* main */
main()
{
p =
p =
}

the 'p = &i' code will create the following assembly:

MOV EAX, _i
MOV dword ptr [_p], EAX

the 'p = foo' code will create the following assembly:

MOV EAX, _foo
MOV dword ptr [_p], EAX

using p as integer (lets say p++):
MOV EAX, dword ptr [_p]
INC EAX, 1
MOV dword ptr [_p], EAX ;will implicitely use DS

using p as a function
MOV EAX, dword ptr [_p]
CALL EAX ;will implicitely use CS

Ok, it may not be entirely accurate, but you get the point.

As you see, there is no problem with segments, as long as you have 1 code segment, 1 data segment and 1 stack segment which are static.

The real mode C problem was because the data/code segment was variant (it changed every 16 bytes).

Re:nah

[psamuels]

There is another trick to do with no run-time checks from the software: the eXecutable page bit in the page descriptor(I don't remember - is there such a bit ? I think that it is).

Yes indeed, see this post for a (one-sided) discourse on this approach.

As you see, there is no problem with segments, as long as you have 1 code segment, 1 data segment and 1 stack segment which are static.

OK, but...

static int foo_global; /* in DS */
static int *foo (int *bar)
{
foo_global += *bar;
return &foo_global;
}

int main (void)
{
int x = 3; /* in SS */
int *y = foo(&x);
}

How does your compiler tell the "foo" function whether the passed-in pointer "bar" is in DS or SS? In the above example, it is in SS. Same with the assignment of "y" in main() - is that DS or SS? In this case, DS.

The obvious answer is: don't have separate data and stack segments. But then how would you make the stack segment non-executable? You can't just make the DS non-executable - there's code out there that relies on being able to compile code and run it straight from DS. (JIT compilers for LISP etc. being the obvious example.) Come to think of it, JIT compilers would break if CS != DS as well - malloced space for a new JIT function would be in DS, but later the program would try to execute it. Sure, JIT-compilers are not 100% portable C - by their very nature they are non-portable - but you can't just shut them out.

Re:nah

[master_p]

Since the stack contains data, it makes perfect sense for DS == SS. But it does not make any sense for CS == DS. Furthermore, SS can be a subset of DS, for example the lower part of it, so addresses can be common.

As for dynamically generated code, there are some solutions:

1) create the code in DS, then issue a system call to copy it in CS; since a JIT compiler would do this once, it makes perfect sense

2) use a special flag in the executable's header to make CS == DS; in this case, only the app that needs dynamic compiling would have CS == DS, at least minimizing the risk of buffer overflows for all the other tasks

It's a shame to have CS == DS for all types of apps. Only those needing so should be coded in such a way, and that's a very small percentage.

Re:nah

risc grows up...hrm i can overwrite my current stack frame instead of my previous, woo.

Oh No...

[Devil's+BSD]

Imagine being a sysadmin at MIT, having to replace/patch versions of Kerberos on every single computer... Ouch! Send that Mountain Dew in!
(Yes, I'm aware that they probably have lots of undergrads helping. Still, the concept is quite large.)

Re:Oh No...

[CommanderTaco]

umm... this flaw affects the server, not the client, so they would only have to patch the few server machines...
but even if there was a security patch that needed to be applied to all public workstations, there is an automatic update deployment procedure... so no, sysadmins wouldn't ever have to go from computer to computer, replacing software...

Re:Oh No...

[laptop006]

And I'd doubt that many places (including MIT) would run the kerberos 4 support. krb4 is so broken it's not funny.

Re:M$FT too?

[dknj]

actually this is the first question that popped into my head. definitely not flamebait. hopefully microsoft butchered it enough that they're not affected?

-dk

Re:Question

God I'm glad I read at -1.

actually, this is old news (of sorts)

[fat32]

Actually, this security advisory (from the list) states that "Serious buffer overruns exist in krb4 compatibility code." It's not dated, but from reading it, it must be from at least six patches ago.

In other words, this latest advisory is the *first* specific bug of this type found since the problem was first discovered (and numerous other bugs of this type have presumably been fixed by now).

I think it's safe to assume that it won't be the last, so if you really want to be secure, take the original advisory to heart and avoid krb4 compatibility code.

If only...

[Chester+K]

If only we were all using Windows this could have been avoided. :(

Re:If only...

[HiThere]

So it was version 5 of Kerberos that MS ripped off?

(Yah, I know it was legal. So was bastardizing the protocol. But it was still quite impolite.)

Kerberos does not use Diffie-Hellman

[dido]

Just a slight nitpick, but AFAIK, Kerberos never used any public key cryptography at all, Diffie-Hellman or otherwise. They use the Needham-Schroeder key exchange protocol which only requires symmetric key cryptography.

Re:Kerberos does not use Diffie-Hellman

[Xenographic]

You're right, Kerberos is based on Needham-Schroeder key exchange (see http://www.upenn.edu/computing/pennkey/docs/kerbpr es/siframes.htm), but you might want to double-check that nitpick...

Diffie-Hellman Key Exchange for Kerberos V5

Abstract

The Kerberos protocol [RFC1510] currently establishes session keys by the assertion of one party (usually the KDC). This document describes a method for using the Diffie-Hellman algorithm to establish the shared secret between a Kerberos client and application service. For the purposes of this document, the Ticket Granting Service is considered an application service.

[excerpted from --
http://www.ietf.org/proceedings/99mar/I-D/draf t-ie tf-cat-kerb-dh-key-exchange-00.txt ]

Re:Kerberos does not use Diffie-Hellman

[Xenographic]

BTW, I'm well aware that it's only a draft.

Security is Pointless

[Gregg+Alan]

It doesn't matter what you do...some part of your security solution is going be broken by some hackers at some point. Get used to it, deal with it.

Me, I spend the money my boss gives me for security on beer and better video cards for my office mates that like unreal tournament.

Oh, I should also mention that in addition to not providing any type of network secuity you must also not supply any type of network monitoring. Can you imagine...you're two frags from godlike and some system monitor (that you don't understand anyway) starts paging your beeper like a crazy x-girlfriend.

You might just lose concentration.

Why this is big....

[fortinbras47]

Kerberos is the security core of some very large systems.... For example at the University I attend, logins on all accounts on the campus wide computing infastructure are done through kerberos. AFS file system tickets are done with kerberos. Authentication for logging into class registration is done through kerberos. And the list goes on. If someone managed to root one of the main kdc servers and compromise a bunch of accounts, the person could create mischeif on a rather large scale.

I wonder how much you could do before you got noticed, but even if you managed to copy over the encrypted password files, I'm sure you could find some that fell to cracking software.

The ramifications of a flaw in a kerberos implementation is a great deal more important than a flaw in outlook. (The importance of this though means this flaw is probably going to be patched faster than a speeding bullet!)

Re:Why this is big....

[psamuels]

I wonder how much you could do before you got noticed, but even if you managed to copy over the encrypted password files, I'm sure you could find some that fell to cracking software.

Just copy the Kerberos secrets database and you can grant yourself tickets to impersonate anyone you want. I am not a Kerberos admin, but I believe in general changing said secret is far from trivial, because every single service provider on the network must be updated.

(This is by design - the whole K architecture is designed around an ultimately trusted KDC which is known to the services via some sort of shared secret.)

Re:Why this is big....

[Ducky]

True, AFS uses kerb4 based authentication, however it doesn't use kadmind, which has the buffer overflow.

If all you are running is AFS, and not MIT kerb to boot, this doesn't apply.

-Ducky

Come on, better title please.

[antis0c]

Critical Kerberos Flaw Revealed

That would lead me to believe that a critical flaw in Kerberos itself was discovered, as in a flaw in the design. Critical Kerberos Exploit Revealed might have been more suitable, but at first I thought Kerberos was essentially broken.

Whew.

kadmin4 has a history of buffer & security bug

[dananderson]

kadmin4 has a history of buffer overflow and security bugs.

Unless you need backward compatibility with Kerberos v4 (most people should use v5 nowadays), disable it.

Lose kadmin4 and disable starting krb524d in /etc/init.d/

Then turn off security articles :P

[fortinbras47]

Bugs in critical authetication and login systems, (eg. Kerberos, ssh, etc...) fall into a category critical enough to warrant a ./ story.

If we're going to have articles on what dangerous server rooms look like, we can have an article on how if you don't patch that KDC server fast, tens of thousands of user accounts might be compromised. Kerberos is at the HEART of many large multi-user distributed systems. (Universities, hospitals...) A critical flaw possibly compromising hundreds of thousands of accounts worldwide is a big story.

Re:is this for real [OT]

[CommanderTaco]

well, it's a bit redundant...
today is the (car (cdr life)) would be better, or maybe
(define today (car (cdr life)))

Re:Question

standard disclaimer: the following may not be exactly what goes on, as it's only as I remember it. I don't work with it, but I use it.

One really nice part of Kerberos is that your password never used. When you authenticate, the authentication server encrypts your ticket with your password as the key. So, your password NEVER passes over the network. If you put in the right password, then it's decrypted just fine, and you have your ID with you.

The other unique part of Kerberos is that the servers must also prove their identity. When you ask the mail server for your mail, it asks the auth. server if you are who you say you are, and the auth. server will verify that you're a user on the system. Only a mail server with it's own ticket to the kerberos auth server can do this. Therefore, the mail server doesn't have to touch your password, and you can be certain that the mail server is safe to use.

The idea is that all transmission of your personal data is minimized, and restricted to trusted sources only.

fix

I've been here a long time, and that is the most brilliant sig I've ever seen. Hardly. It's syntactically meaningless. It should be "Today is the (car (the rest of your life))" or, if you life is subdivided betweeen the past and the future, then "Today is the (car (cdr (your life)))." Learn some lisp fool. Both of you.

Where the fix?

[roly]

I use kerberoes and I have these packages installed:

krb5-libs-1.1.1-29
krb5-configs-1.1.1-29
krb5-devel-1.1.1-29

Where can I get a security fix?

C programming

[g4dget]

"We're smart, we're careful, we can write code in C that doesn't have buffer overflows." Yeah, right. If MIT hackers can't do it, if Microsoft can't do it, who can?

Re:C programming

D. J. Bernstein(qmail) can write code in C that doesn't have buffer overflows. ( http://cr.yp.to/djb.html )

Anyone else?

The rest of us should realy use languages like Ada 95, Python, Java, etc...

C was good in the 80th....

Re:C programming

quote> "We're smart, we're careful, we can write code in C that doesn't have buffer overflows." Yeah, right. If MIT hackers can't do it, if Microsoft can't do it, who can? end quote.

What the fuck is this shit? No one claims to be perfect at programming. This troll has been modded up to three and that's nonsense. If you think it really does have some insight, consider this: Most open source programmers aren't getting paid for their programming and do it secondary to a job, schooling, etc, and in spite of that most do a damn fine job. They are hereos in their own right, and all you can do is compare them with programmers working for gates billion dollar empire -- likely, programmers with lots of past experience proclaimed on their resume and whose programming projects for microsoft are an 8 to 5 activity -- apples and oranges, and really flawed logic.

Re:C programming

[quantum+bit]

What would you rather use, Java? No buffer overflows, maybe, but it's by no means immune to logic flaws -- and those are a lot harder to track down and fix.

The point is that if a programmer wants to be sloppy and stupid, s/he'll find a way to be sloppy and stupid, no matter what strange constraints the language imposes.

Re:C programming

[HiThere]

Languages without buffer overflows:
Ada*, Python, Ruby, Pascal, Clean (well, that's windows only), Eiffel, OCaML, APL, PL/1**.

Some of these languages are relatively slow. Ada is as fast as C, and as powerful as C++, but a pain to learn. Eiffel differs greatly between implementations, and is *extremely* dependant on how you specify compile time options. If you have all possible checks on, then it is slow. If you turn them off, then it is fast. And you can fine-tune it so that some routines have check on and others don't. Python and Ruby are "reasonably fast", but certainly not speedy. I don't know Clean or OCaML, but for some things OCaML is quite fast. APL is... well, it's APL. The original write-only language. I never learned it well, so I can't speak to it's advantages and disadvantages, but at one point CDC was considering choosing it as the language that it's STAR computer would be designed for. I think that meant that a macro processor would be able to translate it into the binary, but I'm not sure. So it must have some capabilities as a systems language.

* In Ada you can have buffer overflows, but it takes extra work. No automatic garbage collection however.
** In PL/1 it depends on the kind of variables allocated. Your programming style determines whether or not buffer overflows are prohibited. But this doesn't mean the kind of constant attention that C requires, as you can control it at variable declaration time.

Re:C programming

[quantum+bit]

What about PHP? As far as I can tell all strings are dynamically allocated and bounds checking is done on arrays and such (plus is has associateive arrays much like Perl which are very nice).

What would be nice is a good standardized library for C with variable-sized strings since that's where most overflows happen.

Re:C programming

[dmelomed]

Because DJB is smart enough not to rely on idiotic libraries like stdio and str*. He uses his own replacements for these. His stralloc library automatically allocates memory for strings - no buffer overflows possible.

Re:C programming

[dmelomed]

DJB's stralloc library, and a bunch of others already exist and very nice. Yet people are not aware of them, or don't care/wish to conform rather than avoid overflows.

Re:C programming

[Just+Some+Guy]

What would be nice is a good standardized library for C with variable-sized strings since that's where most overflows happen.

C++ has it; it's called, strangely enough, <string>.

Re:C programming

Too bad the the stralloc library is not used in all C-programs.

Anyway, its smarter when all of the securiy relevant stuff is part of the language!

Re:C programming

[quantum+bit]

DJB's stralloc library, and a bunch of others already exist and very nice. Yet people are not aware of them, or don't care/wish to conform rather than avoid overflows.

They exist, but are not standardized. Until something like this becomes part of ANSI C I doubt many people will use it or even be aware of its existence.

OTOH, DJB's stuff is notorious for having licesing problems. That in itself may cause poeple to be wary of this particular implementation.

Somewhat offtopic, that's a pretty sweet library. Somebody did a GPL re-implementation (why oh why couldn't they have made it LGPL?)

Re:Question

[psamuels]

why does kerberos just seem kinda worthless?

(You shouldn't have been modded down, btw.)

Because it is too hard to set up and roll out. It is great for large implementations, but for small stuff - secure access by a few people between a few servers - ssh and ssh tunneling are a heckuva lot easier and have basically eaten its lunch.

Dude

If you did your thesis on buffer overflows, you'd be halfway done already.

Dude.

If a halfassed potential everything2 writeup was all you needed for it to qualify as a thesis, i'd have graduated grad school already.

--super ugly ultraman

This proves that opensource just does not work

There has been a bug in it for 15 years now and they just found it?

How many "eyes" have looked over the code in those 15 years and haven't seen it?

I'm not trying to get into an open source vs closed source fight here. It's just that the open source guys always say that their code is more secure because they have more eyes looking at it. If that was true shouldn't this flaw of been uncovered earlier?

Re:This proves that opensource just does not work

Don't contradict ESR!

Re:This proves that opensource just does not work

Thou shalt not criticize open sores/cheap software.

There goes the DMCA

[myowntrueself]

I hope the author hasn't planned a holiday in the land of the free!

Some in america is *bound* to be using this to protect copyright material.

Re:A distinction... a bug not a flaw

Indeed, I thought exactly the same.

To make things less ambiguous it would be better if such problems were referred to as a bug (an implementation problem) rather than a flaw (an inherent problem)

Re:M$FT too?

[vandy1]

No. M$FT only has a butchered Kerberos V implementation; there is NO Kerberos IV support.

Note that this only affects you if you have enabled Kerberos IV backward compatibility support.

Michael

Re:Question

[gl4ss]

oh F***, that's what happened in doom, right?? a flaw in kerberos now, and doom III on the way.. me thinks they're wanting authentic art over at ID.

wrong: Re:it is only MIT Specific �

[fw3]

I guess when you weren't looking (a day before the MIT patch was issued) OpenBSD posted this patch to kadmind.

Obsd uses Heimdal, and seemingly the krb4 compatiblity is built into the kadmind daemon. Only MIT-based sites running the kadmind4 daemon are affected, while seemingly all heimdal KDC's running kadmind were. In any case the code flaw in both cases has a similar patch / fix.

How do they find these?

[Fyndlorn]

I'm curious to know how these buffer overflow exploits are typically found? Does somebody go through the source (if ineed it is avaiable) and look for potential buffers to overflow? Or is it more like they go through the whole inerface to the thing and check everywhere where they can give some input and see if thy can cause an overflow that way?

Re:M$FT too?

Some people are such sheep. $10 says he's writing that from a browser running on a Microsoft OS.

Need to make this impossible.

Wish we could have the compiler make all these sorts of buffer overflows impossible & irrelevant. I've used the StackGuard compiler and like it. I really like the idea of hardening a service against an entire class of attacks even before vulnerabilities are found. Unfortunately, it doesn't cover all the bases. But IMHO this sort of functionality should be incorporated into the GCC core as a compile-time option.

It's preposterous that we should be constantly victimized by stack-smashing attacks over and over and over to the end of time. Best cure would be languages and/or systems where this is not possible. The damn stack grows the wrong way! Why the @#&! can the data stack be executed anyway!?! The friggin' architecture needs to be overhauled. Not holding my breath, though.

Same old problems

A buffer stack overflow allows an attacker to use a specially formed request to gain access...

*ENERGIZER BUNNY*

ON and ON and ON and ON.......

Re:haha

Good thing Telnet encripts passwords too!

Re:M$FT too?

[jazzbotley]

Baa! You got me pegged. Running the Win2K desktop, sporting IE6, trying (lamely) to administer Active Directory ... thus the "flamebait" question at the parent. M$FT on the desktop (for me), BSD in the server room (where I have a say-so), W2K server everywheres else.

--
It's a great, big stupid world! -- Randy Stonehill, some song, some time in the late 1980s

Good idea -- needs a better acronym though...

[YU+Nicks+NE+Way]

How about Secure Client Authentication and Manipulation Protocol (The SCAM protocol)?

Re:Question

Never say Never.

When you change your password, your password is sent across the network (encrypted).

In the normal login procedure, you password IS THE KEY to decrypt the ticket granting ticket (which contains a randomly generated session key).

Yes. It's what everybody uses

[billstewart]

Not everybody uses Kerberos, but this is one of the most important implementations, and makes it possible for a cracker to give himself permissions on all your machines. Basically, you'd better move your zig and fix this. It's especially likely to be used at universities, which turn into big zombie farms if kerberos gets cracked.

By the way, this interacts with the Quantum Computing discussion threads, because if it's possible to factor big numbers, public-key crypto no longer works, so the fallback for authentication is to use symmetric-key systems like kerberos.

Where do you get off?

[Tokerat]

Listen, I know as of late /. has become a very politcal-oriented site, tech news abut new laws, etc.

This type of story has it's roots here long before the DMCA was a twinkle in Congress' eye. THis is an important story, about an important flaw in VERY important security software. If this type of story isn't fit for Slashdot, then Slashdot is no longer a tech. news site.

"News for Nerds, Stuff That Matters."
This fscking matter. A lot. As user # 318124, though, maybe you havent' been around long enough to realize that.

-1 Redundant. I have the karma to burn.

Do you have kadmind4, though?

[Creepy]

Do you have kadmind4 installed, though?

I have access to several boxes, all with Kerberos 5 on them, but none of them have kadmind4 (not in any bin directories or in inetd, at least).

If you do have kadmind4, go to CIAC.

Specifically, go here

Re:haha

[GombuMstr]

Just this last year. I know at least FreeBSD had this problem. I'm sure there was others.