12064: Multiple Vendor Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability

Multiple Vendor Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability

General Info

	TC:	12064
	Description:	A buffer overflow condition exists in the OpenSSH server. The condition is exploitable by attackers with valid user credentials in versions 2.9.9 and higher. Exploitation does not require valid user credentials in versions prior to 2.9.9. The vulnerability is related to the handling of Kerberos 4 TGT/AFS tokens passed by the client. An unbounded string copy operation may result in a stack overflow if the TGT/token data is malformed.
	TC Impact:	Gather Info
	Service:	ssh

Specific Operations and Actions:

	Vulnerability Publication:	April 19, 2002
	Advisory Copyright:	Marcell Fodor
	Summary:	A remote attacker can compromise your authentication server and thus deny service to your legitimate users.
	Risk:	High
	CVSS 2.0 metrics:	Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
	CVSS 2.0 Base Score:	9.3

	Vulnerability Impact:	Attack Gain Root

	Host Impact:	Buffer overflow allowing attacker to gain root access on affected machines.
	Nature of Remediation:	Update the software.

	Step required to fix the reported vulnerability:
	*** Solution type: Upgrade Software *** Upgrade to the latest version of SSH available. See references for more details.

Glossary and References :

	References:
	* MISC: SANS Top 20 Secure Shell (SSH) http://www.sans.org/top20/2003/#u8 * BUGTRAQ: 20020426 Revised OpenSSH Security Advisory (adv.token) http://online.securityfocus.com/archive/1/269701 * BUGTRAQ: 20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow http://online.securityfocus.com/archive/1/268718 * VULN-DEV: 20020419 OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow http://marc.theaimsgroup.com/?l=vuln-dev&m=101924296115863&w=2 * BUGTRAQ: 20020517 OpenSSH 3.2.2 released (fwd) http://marc.theaimsgroup.com/?l=bugtraq&m=102167972421837&w=2 * BUGTRAQ: 20020429 TSLSA-2002-0047 - openssh http://archives.neohapsis.com/archives/bugtraq/2002-04/0394.html * BUGTRAQ: 20020420 OpenSSH Security Advisory (adv.token) http://archives.neohapsis.com/archives/bugtraq/2002-04/0298.html * CALDERA: CSSA-2002-022.2 ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-022.2.txt * BID: 4560 http://www.securityfocus.com/bid/4560 * XF: openssh-sshd-kerberos-bo(8896) http://www.iss.net/security_center/static/8896.php * OSVDB: 781 http://www.osvdb.org/781

	CVE Link:	CVE-2002-0575

	Glossary:	Arbitrary Command Execution Buffer Overflow Kerberos Privilege Escalation

© 2003-2011 NexantiS Corporation (www.securescout.com)
SecureScout is a trademark of NexantiS
All Rights Reserved
All products names referenced herein are trademarks of their respective companies

SecureScout products are certified:
CVE Compatible
SANS TOP 20 Compatible
CVSS Compatible (Common Vulnerability Scoring System)