Page 14 of 111 results (0.011 seconds)

CVSS: 8.5EPSS: 31%CPEs: 2EXPL: 0

The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer. La función kadm5_modify_policy_internal en lib/kadm5/srv/svr_policy.c del demonio de administración de Kerberos (kadmind) en MIT Kerberos 5 (krb5) 1.5 hasta 1.6.2 no comprueba adecuadamente los valores de retorno cuando no existe política, lo cual podría permitir a usuarios autenticados remotos con el privilegio de "modificar política" ejecutar código de su elección mediante vectores no especificados que provocan una escritura en un puntero no inicializado. • http://secunia.com/advisories/26676 http://secunia.com/advisories/26680 http://secunia.com/advisories/26700 http://secunia.com/advisories/26728 http://secunia.com/advisories/26783 http://secunia.com/advisories/26987 http://securityreason.com/securityalert/3092 http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt http://www.gentoo.org/security/en/glsa/glsa-200709-01.xml http://www.kb.cert.org/vuls/id/377544 http://www.mandriva.com/security/advisories?name=MDKSA&# • CWE-824: Access of Uninitialized Pointer •

CVSS: 10.0EPSS: 96%CPEs: 12EXPL: 0

Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message. Un desbordamiento de búfer en la región stack de la memoria en la función svcauth_gss_validate en el archivo lib/rpc/svc_auth_gss.c en la biblioteca RPCSEC_GSS RPC (librpcsecgss) en MIT Kerberos 5 (krb5) versiones 1.4 hasta 1.6.2, como es usado por demonio de administración de Kerberos (kadmind) y algunas aplicaciones de terceros que usan krb5 permiten a atacantes remotos causar una denegación de servicio (bloqueo del demonio) y probablemente ejecutar código arbitrario por medio de una cadena larga en un mensaje RPC. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of MIT Kerberos. Authentication is not required to exploit this vulnerability. The specific flaw exists in the svcauth_gss_validate() function. By sending a large authentication context over RPC, a stack based buffer overflow occurs, resulting in a situation allowing for remote code execution. The vulnerable line of the function is: memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); If 128 < oa->oa_length < 400, the exploitable situation occurs. • http://docs.info.apple.com/article.html?artnum=307041 http://lists.apple.com/archives/security-announce/2007/Nov/msg00002.html http://lists.rpath.com/pipermail/security-announce/2007-September/000237.html http://secunia.com/advisories/26676 http://secunia.com/advisories/26680 http://secunia.com/advisories/26684 http://secunia.com/advisories/26691 http://secunia.com/advisories/26697 http://secunia.com/advisories/26699 http://secunia.com/advisories/26700 http://secunia.com/advisories&#x • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 10.0EPSS: 96%CPEs: 6EXPL: 0

The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup. La función gssrpc__svcauth_gssapi en la librería RPC de MIT Kerberos 5 (krb5) 1.6.1 y anteriores podría permitir a atacantes remotos ejecutar código de su elección mediante credenciales RPC de longitud cero, lo cual provoca que kadmind libere un puntero no inicializado durante la limpieza. • ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc http://docs.info.apple.com/article.html?artnum=306172 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02257427 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html http://osvdb.org/36596 http://secunia.com/advisories/25800 http://secunia.com/advisories/25801 http://secunia.com/advisories/258 • CWE-824: Access of Uninitialized Pointer •

CVSS: 8.3EPSS: 96%CPEs: 6EXPL: 0

Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value. Error de entero sin signo en la función gssrpc__svcauth_unix de svc_auth_unix.c en la librería RPC de MIT Kerberos 5 (krb5) 1.6.1 y anteriores podría permitir a atacantes remotos ejecutar código de su elección mediante un valor de longitud negativa. • ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc http://docs.info.apple.com/article.html?artnum=306172 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02257427 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html http://osvdb.org/36597 http://secunia.com/advisories/25800 http://secunia.com/advisories/25801 http://secunia.com/advisories/258 •

CVSS: 9.0EPSS: 94%CPEs: 6EXPL: 0

Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. Un desbordamiento de búfer en la región Stack de la memoria en la función rename_principal_2_svc en kadmind para MIT Kerberos versiones 1.5.3, 1.6.1, y otras versiones, permite a los usuarios autenticados remotos ejecutar código arbitrario por medio de una petición creada para renombrar un principal. • ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc http://docs.info.apple.com/article.html?artnum=306172 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02257427 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=548 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html http://osvdb.org/36595 http://secunia.com/advisories/25800 htt • CWE-787: Out-of-bounds Write •