Kerberos 5 su Privilege Escalation Vulnerability

Fred A. Miller fm at cupserv.org
Mon Jan 28 19:26:06 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For those institutions that are rolling out K5, this is a bug to be 
aware of.

Fred
_____________________


Kerberos 5 su Privilege Escalation Vulnerability
BugTraq ID: 3919
Remote: No
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3919
Summary:

Kerberos 5 includes a version of 'su', a utility that can be used by a
user to change user-identity while logged in.  This utility is known as
'k5su'.

A vulnerability in k5su may allow for a local user to elevate privileges
under certain circumstances.  When root runs 'k5su', no password should
be required to switch to arbitrary userids.  The user running k5su is
determined by the output of getlogin(), a function which returns the
username associated with the process' controlling terminal.

If the username 'root' is returned, the program functions as though root
is using it and does not request passwords.  Under certain 
circumstances, users may have 'root' returned by getlogin().  This may 
occur if their username is explicitly set to 'root' or if a process 
lowers privileges but does not set a new login name via setlogin().

On such systems, k5su would act as though root were running it and not
prompt for a password.  Exploitation of this vulnerability may result in
a compromise of root access to local attackers.

- -- 
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm at cupserv.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8VaXOIhTtc6nTZIIRAhPRAJwLm/Z7gIrEBLM4m4Ag71UY5u49vACeKgXJ
VxNg7ASVqYXMufL/pmnnqEo=
=biiq
-----END PGP SIGNATURE-----



More information about the unisog mailing list