Kerberos 5 su Privilege Escalation Vulnerability

Fred A. Miller fm at
Mon Jan 28 19:26:06 GMT 2002

Hash: SHA1

For those institutions that are rolling out K5, this is a bug to be 
aware of.


Kerberos 5 su Privilege Escalation Vulnerability
BugTraq ID: 3919
Remote: No
Date Published: Jan 21 2002 12:00A
Relevant URL:

Kerberos 5 includes a version of 'su', a utility that can be used by a
user to change user-identity while logged in.  This utility is known as

A vulnerability in k5su may allow for a local user to elevate privileges
under certain circumstances.  When root runs 'k5su', no password should
be required to switch to arbitrary userids.  The user running k5su is
determined by the output of getlogin(), a function which returns the
username associated with the process' controlling terminal.

If the username 'root' is returned, the program functions as though root
is using it and does not request passwords.  Under certain 
circumstances, users may have 'root' returned by getlogin().  This may 
occur if their username is explicitly set to 'root' or if a process 
lowers privileges but does not set a new login name via setlogin().

On such systems, k5su would act as though root were running it and not
prompt for a password.  Exploitation of this vulnerability may result in
a compromise of root access to local attackers.

- -- 
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm at

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


More information about the unisog mailing list