Heimdal ftpd uninitialized vulnerability Class: implementation Error DATE:11/12/2007 CVEID:CVE-2007-5939 Vulnerable: <=heimdal 0.7.2 Affected distribution: Gentoo <=heimdal-0.7.2-r3 ubuntu <=heimdal-0.7.2 Vendor: I.Synopsis A vulnerability has been discovered in Heimdal's ftpd. II.DETAILS: ---------- Background The Heimdal's ftpd is a kerberized FTP server , that can be authenticated with Kerberos 5. Description There is a uninitialized vulnerability in function gss_userok() in ftpd.c. int gss_userok(void *app_data, char *username) { ... 77 if (data->delegated_cred_handle != GSS_C_NO_CREDENTIAL) { 78 krb5_ccache ccache = NULL; 79 (1) char* ticketfile; <---- declared ticketfile without initializer 80 struct passwd *pw; 81 82 pw = getpwnam(username); 83 84 (2) if (pw == NULL) { 85 ret = 1; 86 goto fail; 87 } 88 ... 110 111 fail: 112 if (ccache) 113 krb5_cc_close(gssapi_krb5_context, ccache); 114 (3) free(ticketfile); <---- free the uninitialized variable 115 } at (1) declared ticketfile without initializer, if match (2) condition,will go to (3) without initialize the ticketfile, then free will cause security problem. Impact Free uninitialized variables can result in unpredictable behavior, crashes, or security holes. III.CREDIT: ---------- Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/