Category: krb5-appl
Release: krb5-1.2.3
Description:
When using MIT kerberos against a Windows 2000 KDC, obtaining a TGT
for a user that is a member of many Windows groups causes the
Authorization-Data field of the TGT to become very large. Microsoft
uses this field to store Windows security information for all the
groups that user is a member of.
Telnet contains 2048 byte buffers for the network output ring and also
as a work buffer in libtelnet/kerberos5.c. When the TGT is too large,
the buffer in kerberos5.c overflows and overwrites the variables
declared after it, particularly the krb5_context structure - a core
dump soon follows!
How-To-Repeat:
Create a user account at the Win2K KDC and make it a member of many
groups - 10 to 12 is usually sufficient.
Fix:
Personally I increased the size of the static buffer in
libtelnet/kerberos5.c line 99: static unsigned char str_data[2048]
and the network output ring buffer
telnet/network.c line 56: unsigned char netobuf[2*BUFSIZ],
to be big enough to accomodate the largest expected user account on
the company's network.
I would recommend that any future enhancement to telnet would use a
dynamically allocated buffer in kerberos5.c and that there be some way
of flushing the ring buffer so that a large TGT can be processed in a
loop, since the TGT size is not known at the time the ring buffer is
allocated.
(also posted to [EMAIL PROTECTED])
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
