lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 08 Dec 2007 00:03:52 +0800
From: "xiaojunli.air" <xiaojunli.air@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Heimdal ftpd uninitialized vulnerability

Heimdal ftpd uninitialized vulnerability
Class: implementation Error
DATE:11/12/2007
CVEID:CVE-2007-5939
Vulnerable:
	<=heimdal 0.7.2
Affected distribution:
	Gentoo <=heimdal-0.7.2-r3
	ubuntu <=heimdal-0.7.2
Vendor:
	
I.Synopsis

A vulnerability has been discovered in Heimdal's ftpd.

II.DETAILS:
----------
Background

The Heimdal's ftpd is a  kerberized FTP server , that can be
authenticated with Kerberos 5.

Description

	There is a uninitialized  vulnerability in function gss_userok() in ftpd.c.
int  	gss_userok(void *app_data, char *username) 	
{
...
77   	        if (data->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
78   	           krb5_ccache ccache = NULL;
79 (1)		   char* ticketfile; 	<---- declared ticketfile  without initializer
80   	           struct passwd *pw;
81   	
82   	           pw = getpwnam(username);
83   	
84 (2) 		   if (pw == NULL) {
85   		       ret = 1;
86   		       goto fail;
87   		   }
88   	
...
110  	
111  	fail:
112  	           if (ccache)
113  	              krb5_cc_close(gssapi_krb5_context, ccache);
114 (3)		   free(ticketfile); <---- free the uninitialized variable
115  	        }

at (1) declared ticketfile  without initializer, if match (2)
condition,will go to (3) without
initialize the ticketfile, then free will cause security problem.

Impact
Free uninitialized variables can result in unpredictable behavior,
crashes, or security holes.

III.CREDIT:
----------
    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab
guys.

V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of
any
kind. In no event shall we be liable for any damages whatsoever
including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ