From owner-doc-jp-work@jp.FreeBSD.org Fri Nov 15 04:20:41 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id gAEJKfh72757;
	Fri, 15 Nov 2002 04:20:41 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from smtp.eos.ocn.ne.jp (eos.ocn.ne.jp [211.6.83.117])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id gAEJKf272748
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 15 Nov 2002 04:20:41 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from mail.allbsd.org (p33186-adsao12honb4-acca.tokyo.ocn.ne.jp [219.161.176.186])
	by smtp.eos.ocn.ne.jp (Postfix) with ESMTP id B497B3087
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 15 Nov 2002 04:20:40 +0900 (JST)
Received: from localhost (alph.allbsd.org [192.168.0.10])
	by mail.allbsd.org (8.12.3/3.7W/DomainMaster) with ESMTP id gAEJAmB2097050
	for <doc-jp-work@jp.FreeBSD.org>; Fri, 15 Nov 2002 04:10:48 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Message-Id: <20021115.040939.41673592.hrs@eos.ocn.ne.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <200211130406.gAD46ZFu008072@freefall.freebsd.org>
References: <200211130406.gAD46ZFu008072@freefall.freebsd.org>
X-Mailer: Mew version 2.2 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Fri_Nov_15_04:09:39_2002_535)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Fri, 15 Nov 2002 04:09:39 +0900
X-Sequence: doc-jp-work 512
Subject: [doc-jp-work 512] Re: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:40.kadmind
Errors-To: owner-doc-jp-work@jp.FreeBSD.org
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hrs@eos.ocn.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+021111

----Next_Part(Fri_Nov_15_04:09:39_2002_535)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 02:40 $B$G$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@eos.ocn.ne.jp>
|                         <hrs@FreeBSD.org> (FreeBSD Project)

----Next_Part(Fri_Nov_15_04:09:39_2002_535)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="02:40"

FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:40.kadmind (2002-11-12)
 * Buffer overflow in kadmind daemon
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:40.kadmind
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 12 Nov 2002 20:06:35 -0800
  Message-Id: <200211130406.gAD46ZFu008072@freefall.freebsd.org>
  X-Sequence: announce-jp 1067

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-02:40.kadmind                                  Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:       kadmind $B%G!<%b%s$K$*$1$k%P%C%U%!%*!<%P%U%m!<LdBj(B
                (Buffer overflow in kadmind daemon)
$BJ,N`(B:           core, ports
$B%b%8%e!<%k(B:     crypto_heimdal, crypto_kerberosIV, heimdal, krb5
$B9pCNF|(B:         2002-11-12
$B%/%l%8%C%H(B:     Johan Danielsson <joda@pdc.kth.se>,
                Sam Hartman <hartmans@mit.edu>,
                Love Hoernquist-Astrand <lha@stacken.kth.se>,
                Tom Yu <tlyu@mit.edu>
$B1F6AHO0O(B:       FreeBSD 4.7-RELEASE $B$r4^$`!"$=$l0JA0$N$9$Y$F$N%j%j!<%9(B
$B=$@5F|(B:         2002-10-23 13:07:44 UTC (RELENG_4)
                2002-10-23 13:21:32 UTC (RELENG_4_7)
                2002-10-23 13:21:02 UTC (RELENG_4_6)
                2002-10-23 13:20:19 UTC (RELENG_4_5)
                2002-10-23 13:19:46 UTC (RELENG_4_4)
                2002-10-24 02:52:00 UTC (RELENG_3)
                2002-10-23 22:30:39 UTC (krb5 port, krb5-1.2.6_1)
                2002-10-24 15:01:11 UTC (heimdal port, heimdal-0.5.1)
FreeBSD $B$K8GM-$+(B:       NO


I.   $BGX7J(B - Background

The Kerberos 4 administrative server, kadmind, runs on the Kerberos
Key Distribution Center (KDC) and provides administrative access to
the Kerberos database.  It is part of the KTH Kerberos 4
implementation.  The Kerberos 5 administrative server, k5admind,
provides the same function in the Heimdal Kerberos 5 implementation,
and includes a Kerberos 4 compatibility feature.

KTH Kerberos 4 $B<BAu$K4^$^$l$k(B Kerberos 4 $B4IM}%5!<%P(B kadmind $B$O!"(B
Kerberos $B80G[I[%;%s%?(B (KDC, Key Distribution Center) $B$G<B9T$5$l!"(B
$B4IM}<T$K(B Kerberos $B%G!<%?%Y!<%9$X$N%"%/%;%9$rDs6!$7$^$9!#(B
Heimdal Kerberos 5 $B<BAu$K4^$^$l$k(B Kerberos 5 $B4IM}%5!<%P(B k5admind $B$b(B
$BF1MM$N5!G=$rDs6!$9$k$b$N$G!"(BKerberos 4 $B8_495!G=$rHw$($F$$$^$9!#(B

The k5admind server is installed as part of the `krb5' distribution,
or when building from source with MAKE_KERBEROS5 set.  The kadmind
server is installed as part of the `krb4' distribution, or when
building from source with MAKE_KERBEROS4 set.  Neither is installed by
default.

k5admind $B%5!<%P$O!V(Bkrb5$B!WG[I[J*$N0lIt$H$7$F!"$b$7$/$O(B
MAKE_KERBEROS5 $B%*%W%7%g%s$r;XDj$7$F%=!<%9$+$i:F9=C[$9$k$3$H$G(B
$B%$%s%9%H!<%k$5$l$^$9!#(Bkadmind $B%5!<%P$O!V(Bkrb4$B!WG[I[J*$N0lIt$H$7$F!"(B
$B$b$7$/$O(B MAKE_KERBEROS4 $B%*%W%7%g%s$r;XDj$7$F%=!<%9$+$i:F9=C[$9$k$3$H$G(B
$B%$%s%9%H!<%k$5$l$^$9!#$$$:$l$b%G%U%)%k%H$G$O%$%s%9%H!<%k$5$l$^$;$s!#(B

The Heimdal Kerberos 5 administrative server is also available as part
of the heimdal port (ports/security/heimdal).  The MIT Kerberos 5
implementation also includes a Kerberos 5 administrative server
(ports/security/krb5).  The MIT Kerberos 5 administrative server is
named `kadmind'.

Heimdal Kerberos 5 $B4IM}%5!<%P$O(B heimdal port (ports/security/heimdal)
$B$H$7$F$bDs6!$5$l$F$$$^$9!#(BMIT Kerberos 5 $B<BAu(B (ports/security/krb5) $B$K$b(B
Kerberos 5 $B4IM}%5!<%P$,4^$^$l$F$$$^$9!#(BMIT Kerberos 5 $B4IM}%5!<%P$N(B
$BL>A0$O!V(Bkadmind$B!W$G$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

A stack buffer overflow is present in the Kerberos 4 administrative
server, kadmind, and in the Kerberos 4 compatibility layer of the
Kerberos 5 administrative server, k5admind.

Kerberos 4 $B4IM}%5!<%P(B kadmind $B$*$h$S!"(BKerberos 5 $B4IM}%5!<%P(B k5admind $B$N(B
Kerberos 4 $B8_49AX$K$O!"%9%?%C%/%*!<%P%U%m!<LdBj$,$"$j$^$9!#(B


III. $B1F6AHO0O(B - Impact

A remote attacker may send a specially formatted request to k5admind
or kadmind, triggering the stack buffer overflow and potentially
causing the administrative server to execute arbitrary code as root on
the KDC.  The attacker need not be authenticated in order to trigger
the bug.  Compromise of the KDC has an especially large impact, as
theft of the Kerberos database could allow an attacker to impersonate
any Kerberos principal in the realm(s) present in the database.

$B%j%b!<%H$N967b<T$O!"(Bk5admind $B$b$7$/$O(B kadmind $B$KBP$7$FFC<l$J:Y9)$r;\$7$?(B
$B%j%/%(%9%H$rAw$C$F%9%?%C%/%P%C%U%!$N%*!<%P%U%m!<$rH/@8$5$;$k$H$$$&<j8}$G(B
$B4IM}%5!<%P$r0-MQ$7!"(BKDC $B>e$N(B root $B8"8B$GG$0U$N%3!<%I$r<B9T$5$;$k$3$H$,(B
$B$G$-$k2DG=@-$,$"$j$^$9!#LdBj$N%P%0$r0-MQ$9$k:]!"967b<T$O@55,$NG'>Z$r(B
$BI,MW$H$7$^$;$s!#(BKerberos $B%G!<%?%Y!<%9$rEp$_=P$7$?967b<T$O!"(B
$B$=$N%G!<%?%Y!<%9>e$N%l%k%`$KB0$9$k$9$Y$F$N(B Kerberos $B%W%j%s%7%Q%k$r(B
$B:>>N$9$k$3$H$,$G$-$k$h$&$K$J$k$?$a!"(BKDC $B$,4m81$K;/$5$l$k$3$H$K$h$k(B
$B1F6A$OHs>o$K?<9o$G$9!#(B

IMPORTANT NOTE: According to the MIT security team, there is evidence
that this bug is being actively exploited.

$B=EMW(B: MIT $B%;%-%e%j%F%#%A!<%`$K$h$k$H!"$3$N%P%0$O<B:]$K(B
      $B9-$/0-MQ$5$l$F$$$k$H$N$3$H$G$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

Perform one of the following:

$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$!#(B

1) Disable kadmind and/or k5admind by performing the following:
   $B0J2<$r<B9T$7$F(B kadmind $B$*$h$S(B k5admind $B$rL58z$K$9$k!#(B

    Set kadmind_server_enable (for kadmind) and kadmind5_server_enable
    (for k5admind) to "NO" in /etc/rc.conf.

    /etc/rc.conf $B$K$"$k(B kadmind_server_enable (kadmind $B$N>l9g(B) $B$H(B
    kadmind5_server_enable (k5admind $B$N>l9g(B) $B$r!"$$$:$l$b(B "NO" $B$K(B
    $B@_Dj$9$k!#(B

    Check /etc/inetd.conf to verify that kadmind and k5admind are
    not being started from inetd.

    /etc/inetd.conf $B$rD4$Y!"(Bkadmin $B$*$h$S(B k5admind $B$NN>J}$,(B
    inetd $B7PM3$G5/F0$7$J$$$3$H$r3NG'$9$k!#(B

    Check that kadmind is not running as a service by executing the
    following command:

    $B<!$N%3%^%s%I$r<B9T$7!"(Bkadmind $B$N%5!<%S%9$,2TF/$7$F$$$J$$$3$H$r(B
    $B3NG'$9$k!#(B

      # ps axlwww | egrep 'kadmind|k5admind'

    If kadmind or k5admind are running, kill them by executing the
    following command as root:

    kadmind $B$b$7$/$O(B k5admind $B$,<B9TCf$J$i!"(Broot $B8"8B$G<!$N%3%^%s%I$r(B
    $B<B9T$7$F!"$=$l$i$r(B kill $B$9$k!#(B

      # kill <process id of kadmind or k5admind>

      # kill <kadmind $B$b$7$/$O(B k5admind $B$N%W%m%;%9(B ID>

2) Deinstall the heimdal or krb5 port/packages if installed.

2) heimdal $B$H(B krb5 $B$N(B port/package $B$,%$%s%9%H!<%k$5$l$F$$$k>l9g$O!"(B
   $B$=$l$i$r:o=|$9$k!#(B


V.   $B2r7h:v(B - Solution

Do one of the following:
$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$!#(B

1) Upgrade your vulnerable system to 4.7-STABLE; or to the RELENG_4_7,
RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the
correction date.
1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r:G?7$N(B 4.7-STABLE $B$K%"%C%W%0%l!<%I$9$k!#(B
   $B$"$k$$$O!"=$@5F|0J9_$N(B RELENG_4_7$B!"(BRELENG_4_6$B!"(BRELENG_4_5$B!"(B
   RELENG_4_4 $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K%"%C%W%0%l!<%I$9$k!#(B

2) To patch your present system:
2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

The following patch has been verified to apply to FreeBSD 4.4, FreeBSD
4.5, FreeBSD 4.6, and FreeBSD 4.7 systems.
$B0J2<$N=$@5%Q%C%A$O!"(BFreeBSD 4.4$B!"(BFreeBSD 4.5$B!"(BFreeBSD 4.6$B!"(B
FreeBSD 4.7 $B$N3F%7%9%F%`$KE,MQ2DG=$J$3$H$,3NG'$5$l$F$$$k$b$N$G$9!#(B

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:40/kadmin.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:40/kadmin.patch.asc

b) Execute the following commands as root:
b) root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/kerberos5/libexec/k5admind
# make depend && make all install
# cd /usr/src/kerberosIV/usr.sbin/kadmind
# make depend && make all install

If you have the `heimdal' or `krb5' port/package installed, then do
one of the following:

$B!V(Bheimdal$B!W$b$7$/$O!V(Bkrb5$B!W$N(B port/package $B$,%$%s%9%H!<%k(B
$B$5$l$F$$$k>l9g$O!"<!$N$$$:$l$+$K=>$C$F$/$@$5$$!#(B

1) Upgrade your entire ports collection and rebuild the port.
1) Ports Collection $BA4BN$r%"%C%W%0%l!<%I$7!"(Bheimdal $B$b$7$/$O(B
   krb5 $B$N(B port $B$r:F9=C[$9$k!#(B

2) Download a new port skeleton for the heimdal or krb5 port from:
2) heimdal $B$b$7$/$O(B krb5 $B$N?7$7$$(B port $B%9%1%k%H%s$r(B
   $B0J2<$N>l=j$+$i%@%&%s%m!<%I$7!"$=$l$i$r;H$C$F(B port $B$r:F9=C[$9$k!#(B

http://www.freebsd.org/ports/

and use it to rebuild the port.

3) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
3) $B>e5-(B (2) $B$NA`:n$r<+F0E*$K9T$J$&(B portcheckout $B%f!<%F%#%j%F%#$r;H$&!#(B
   portcheckout $B$N(B port $B$O(B /usr/ports/devel/portcheckout $B$K$"$j$^$9!#(B
   $B$^$?!"(Bportcheckout $B$N(B package $B$,0J2<$N>l=j$+$iF~<j2DG=$G$9!#(B

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

FreeBSD $B$K$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$O!"0J2<$N$H$*$j$G$9!#(B

Path                                                             Revision
  Branch
$B%Q%9L>(B                                                          $B%j%S%8%g%s(B
  $B%V%i%s%A(B
- -------------------------------------------------------------------------
src/crypto/heimdal/kadmin/version4.c
  RELENG_4                                                    1.1.1.1.2.4
  RELENG_4_7                                              1.1.1.1.2.3.2.1
  RELENG_4_6                                              1.1.1.1.2.1.8.1
  RELENG_4_5                                              1.1.1.1.2.1.6.1
  RELENG_4_4                                              1.1.1.1.2.1.4.1
src/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
  RELENG_4                                                    1.1.1.3.2.1
  RELENG_4_7                                                 1.1.1.3.12.1
  RELENG_4_6                                                 1.1.1.3.10.1
  RELENG_4_5                                                  1.1.1.3.8.1
  RELENG_4_4                                                  1.1.1.3.6.1
src/kerberosIV/include/version.h
  RELENG_4                                                        1.3.2.1
  RELENG_4_7                                                     1.3.12.1
  RELENG_4_6                                                     1.3.10.1
  RELENG_4_5                                                      1.3.8.1
  RELENG_4_4                                                      1.3.6.1
src/kerberos5/include/version.h
  RELENG_4                                                        1.2.2.6
  RELENG_4_7                                                  1.2.2.5.2.1
  RELENG_4_6                                                  1.2.2.3.2.1
  RELENG_4_5                                                  1.2.2.2.4.1
  RELENG_4_4                                                  1.2.2.2.2.1
- -------------------------------------------------------------------------

For Heimdal Kerberos 5 and MIT Kerberos 5 found in the FreeBSD Ports
Collection, the first corrected versions are:

FreeBSD Ports Collection $B$K4^$^$l$k(B Heimdal Kerberos 5 $B$H(B
MIT Kerberos 5 $B$K$*$$$F!"LdBj$,=$@5$5$l$F$$$k:G$b<c$$(B
$B%P!<%8%g%sHV9f$O0J2<$N$H$*$j$G$9!#(B

ports/security/heimdal   heimdal-0.5.1
ports/security/krb5      krb5-1.2.6_1


VII. $B;29M;qNA(B - References

<URL:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt>
<URL:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc>
<URL:http://www.pdc.kth.se/heimdal/>
<URL:http://www.pdc.kth.se/kth-krb/>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/02:40,v 1.4 2002/11/14 19:05:28 hrs Exp $

----Next_Part(Fri_Nov_15_04:09:39_2002_535)----
