Re: krb5 1.1.1

[horio () ACM ORG (horio shoichi)]

Mariusz Woloszyn wrote:
> I was trying to play with kerberos bugs, but the binary I downloaded from
> redhat.com does not want to segfault. The BT posts were saying that
> default RH 6.2 without kerberos stuff contains v4rcp that is suid root and
> segfaults when tested by sample exploit.
> Does anyone have vulnerable sources and/or binaries?
>
> --
> Mariusz Wo³oszyn
> Internet Security Specialist, Internet Partners, GTS Poland

Are you interested in the following quirks ?

=1=alien:/opt0/horio/HOT> uname -a
OpenBSD alien 2.6 GENERIC#696 i386
=2=alien:/opt0/horio/HOT> rlogin -x alien
krcmd_mutual: Time is out of bounds (krb_rd_req)
rlogin: warning, using standard rlogin: can't provide Kerberos auth
data.
rlogin: the -x flag requires Kerberos authentication.
=3=alien:/opt0/horio/HOT> rlogin alien
=1=alien:/opt0/horio/HOT> exitrlogin: connection closed.
=4=alien:/opt0/horio/HOT> klist
Ticket file:    /tmp/tkt.horio
Principal:      horio () NEAR THIS

  Issued           Expires          Principal
Jun  2 00:48:53  Jan 19 12:14:07  krbtgt.NEAR.THIS () NEAR THIS
Jun  2 00:58:53  Jan 19 12:14:07  rcmd.byte () NEAR THIS
Jun  2 00:59:52  Jan 19 12:14:07  rcmd.alien () NEAR THIS
Jun  2 01:11:54  Jan 19 12:14:07  rcmd.type () NEAR THIS
Jun  2 02:07:08  Jan 19 12:14:07  krbtgt.POINTER-SOFTWARE.COM () NEAR THIS
Jun  2 02:07:08  Jan 19 12:14:07  rcmd.hakobera () POINTER-SOFTWARE COM
=5=alien:/opt0/horio/HOT> telnet -x alien
Encryption is verbose
Trying 10.0.3.2...
Connected to alien.near.this.
Escape character is '^]'.
[ Trying mutual KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]
[ Output is now encrypted with type DES_CFB64 ]
[ Input is now decrypted with type DES_CFB64 ]
=1=alien:/opt0/horio/HOT>

> From above snapshot:

o clock is far away from its own clock, and
o cannot see exactly when tickets expire.

BTW, the nearest KDC is KTH-krb4-1.0.1 (genuin) on FreeBSD 3.2.

horio shoichi