Clarification/further info on Kerberos issues

[chris () FERRET LMH OX AC UK (Chris Evans)]

Hi,

I read with interest the recent post on Kerberos security issues.

I was mildly disappointed not be credited; I started discovering Kerberos
issues a month ago. In fact the first problem I demonstrated was the
kd_mq_req() problem. Original demonstration details pasted at end of mail.

The main point of this mail, though, is to advise people to be wary of
assuming that MIT-Kerberos is now "safe". The team need to perform a
thorough audit of all the code. The type and extent of issues they face is
illustrated by the following mail I sent a couple of weeks ago. I found
these issues by tracing through the code path available to malicious users
via "v4rcp", a suid-root application.

Something that needs noting - a full install of RedHat6.2 includes a
suid-root "v4rcp" (even if the user has not enabled the Kerberised
services, which are luckily not enabled in the default setup). I
demonstrate the exploitability of this, via "v4rcp", below in one of my
original mails.

One final point before I start quoting mails - most issues (maybe
all) were fixed in KTH Kerberos code-base, which I browsed via the Web
from www.openbsd.org.

Cheers
Chris

Quote1: Illustration of extend of problems present
===========================================================