CVE-2006-3084

The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known whether an exploitable attack scenario exists for these issues.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.7.2-setuid-patch.txt
http://fedoranews.org/cms/node/2376
http://secunia.com/advisories/21402	Vendor Advisory
http://secunia.com/advisories/21436	Vendor Advisory
http://secunia.com/advisories/21439	Vendor Advisory
http://secunia.com/advisories/21461	Vendor Advisory
http://secunia.com/advisories/21467	Vendor Advisory
http://secunia.com/advisories/21527	Vendor Advisory
http://secunia.com/advisories/21613	Vendor Advisory
http://secunia.com/advisories/23707	Vendor Advisory
http://security.gentoo.org/glsa/glsa-200608-21.xml
http://securitytracker.com/id?1016664
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt
http://www.debian.org/security/2006/dsa-1146
http://www.gentoo.org/security/en/glsa/glsa-200608-15.xml
http://www.kb.cert.org/vuls/id/401660	US Government Resource
http://www.novell.com/linux/security/advisories/2006_20_sr.html
http://www.osvdb.org/27871
http://www.osvdb.org/27872
http://www.pdc.kth.se/heimdal/advisory/2006-08-08/
http://www.securityfocus.com/archive/1/442599/100/0/threaded
http://www.securityfocus.com/archive/1/443498/100/100/threaded
http://www.securityfocus.com/bid/19427
http://www.ubuntu.com/usn/usn-334-1
http://www.vupen.com/english/advisories/2006/3225	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:heimdal:heimdal::::::::
	cpe:2.3:a:mit:kerberos_5:1.4:::::::*
	cpe:2.3:a:mit:kerberos_5:1.4.1:::::::*
	cpe:2.3:a:mit:kerberos_5:1.4.2:::::::*
	cpe:2.3:a:mit:kerberos_5:1.4.3:::::::*
	cpe:2.3:a:mit:kerberos_5:1.5:::::::*

History

No history.

Information

Published : 2006-08-09 10:04

Updated : 2020-01-21 15:45

NVD link : CVE-2006-3084

Mitre link : CVE-2006-3084

CVE.ORG link : CVE-2006-3084

JSON object : View

Products Affected

heimdal

heimdal

mit

kerberos_5

CWE

CWE-264

Permissions, Privileges, and Access Controls

7.2 /10