A remote and local overflow exists in OpenSSH. OpenSSH fails to clear counters from a buffer in the auth_krb4_tgt() function, resulting in a buffer overflow. With a specially crafted request, an attacker can cause stack variables to be overwritten and arbitrary code to be executed, resulting in a loss of confidentiality, integrity, and/or availability.

The sshd daemon in OpenSSH versions 2.9.9 and older is vulnerable to a buffer overflow resulting in remote root if the following conditions are met:
1) sshd is compiled with Kerberos/AFS support and
2) either KerberosTgtPassing or AFSTokenPassing is enabled in sshd_config.

Versions from 2.9.9 to 3.2 are vulnerable to local root exploits if the same conditions are met. Kerberos ticket and token passing are disabled by default. An attacker can send a specially crafted request to pass Kerberos IV TGT, or pass AFS token, exploiting the bug in auth_krb4_tgt() function which fails to clear user-supplied contents from a temp buffer. Thus, a remote attacker can overflow the buffer and overwrite stack variables to execute arbitrary code on the system.

Upgrade to version 3.2.2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, or by disabling Kerberos authentication.

• CVE ID: 2002-0575 (see also: NVD)
• Bugtraq ID: 4560
• ISS X-Force ID: 8896
• Vendor Specific Advisory URL: http://lists.trustix.org/pipermail/tsl-announce/2002-April/000089.html
  http://lists.virus.org/openssh-announce-0204/msg00001.html
• Vendor URL: http://www.openssh.org/security.html

• Marcell Fodor - m.fodormail.datanet.hu -