Vulnerability Development mailing list archives
Re: krb5 1.1.1
From: horio () ACM ORG (horio shoichi)
Date: Fri, 2 Jun 2000 20:08:37 +0900
Mariusz Woloszyn wrote:
I was trying to play with kerberos bugs, but the binary I downloaded from redhat.com does not want to segfault. The BT posts were saying that default RH 6.2 without kerberos stuff contains v4rcp that is suid root and segfaults when tested by sample exploit. Does anyone have vulnerable sources and/or binaries? -- Mariusz Wo³oszyn Internet Security Specialist, Internet Partners, GTS Poland
Are you interested in the following quirks ? =1=alien:/opt0/horio/HOT> uname -a OpenBSD alien 2.6 GENERIC#696 i386 =2=alien:/opt0/horio/HOT> rlogin -x alien krcmd_mutual: Time is out of bounds (krb_rd_req) rlogin: warning, using standard rlogin: can't provide Kerberos auth data. rlogin: the -x flag requires Kerberos authentication. =3=alien:/opt0/horio/HOT> rlogin alien =1=alien:/opt0/horio/HOT> exitrlogin: connection closed. =4=alien:/opt0/horio/HOT> klist Ticket file: /tmp/tkt.horio Principal: horio () NEAR THIS Issued Expires Principal Jun 2 00:48:53 Jan 19 12:14:07 krbtgt.NEAR.THIS () NEAR THIS Jun 2 00:58:53 Jan 19 12:14:07 rcmd.byte () NEAR THIS Jun 2 00:59:52 Jan 19 12:14:07 rcmd.alien () NEAR THIS Jun 2 01:11:54 Jan 19 12:14:07 rcmd.type () NEAR THIS Jun 2 02:07:08 Jan 19 12:14:07 krbtgt.POINTER-SOFTWARE.COM () NEAR THIS Jun 2 02:07:08 Jan 19 12:14:07 rcmd.hakobera () POINTER-SOFTWARE COM =5=alien:/opt0/horio/HOT> telnet -x alien Encryption is verbose Trying 10.0.3.2... Connected to alien.near.this. Escape character is '^]'. [ Trying mutual KERBEROS4 ... ] [ Kerberos V4 accepts you ] [ Kerberos V4 challenge successful ] [ Output is now encrypted with type DES_CFB64 ] [ Input is now decrypted with type DES_CFB64 ] =1=alien:/opt0/horio/HOT>
From above snapshot:
o clock is far away from its own clock, and o cannot see exactly when tickets expire. BTW, the nearest KDC is KTH-krb4-1.0.1 (genuin) on FreeBSD 3.2. horio shoichi
Current thread:
- Re: A<D>V: /con/con is yet exploitable on most fservs, (continued)
- Re: A<D>V: /con/con is yet exploitable on most fservs Niall Smart (Jun 08)
- weird bug found marco (Jun 09)
- Re: weird bug found hypoclear - lUSt - (Linux Users Strike Today) (Jun 09)
- ie5 and .doc URLs Olivier Thereaux (Jun 09)
- Re: ie5 and .doc URLs Chris Tobkin (Jun 09)
- Re: ie5 and .doc URLs Olle Segerdahl (Jun 09)
- mdaemon 2.8.5.0 DoS Craig (Jun 09)
- Re: ie5 and .doc URLs security-lists () SERVER KAPOW DK (Jun 09)
- Re: ie5 and .doc URLs Jason Haar (Jun 11)
- Re: krb5 1.1.1 horio shoichi (Jun 07)