Kerberos 4 allows remote attackers to obtain sensitive information via a malformed UDP packet that generates an error string that inadvertently includes the realm name and the last user.
Kerberos 4, a legacy authentication protocol, is vulnerable to a remote information disclosure flaw. Attackers can craft malicious UDP packets to elicit error messages containing the realm name and the last authenticated user, potentially enabling further attacks. This vulnerability poses a significant risk to systems still relying on Kerberos 4, allowing attackers to gather crucial reconnaissance data for subsequent compromise attempts.
Step 1: Packet Crafting: The attacker constructs a malformed UDP packet. The packet is designed to trigger an error condition within the Kerberos 4 server. The specific malformation is not detailed in the CVE, but it likely involves invalid data in a specific field or an incorrect packet structure.
Step 2: Packet Delivery: The attacker sends the crafted UDP packet to the Kerberos 4 server, typically on port 88 (the standard Kerberos port).
Step 3: Error Generation: The Kerberos 4 server receives the malformed packet and attempts to process it. This processing fails, resulting in an error.
Step 4: Error Message Leak: The Kerberos 4 server generates an error message to report the failure. Due to the vulnerability, this error message includes the Kerberos realm name and the username of the last authenticated user.
Step 5: Information Retrieval: The attacker receives the error message, which contains the sensitive information. This information can be used for reconnaissance to identify valid users and the target realm.
The vulnerability stems from insufficient input validation and error handling within the Kerberos 4 implementation. Specifically, when processing malformed UDP packets, the server generates an error message. This error message, due to a programming oversight, inadvertently includes sensitive information such as the Kerberos realm name and the username of the last user who successfully authenticated. The root cause is likely a lack of sanitization or filtering of data before inclusion in the error string. This allows attackers to extract information that should not be exposed, facilitating further attacks like password guessing or targeted credential harvesting. The flaw is not a buffer overflow or a race condition, but rather a simple information leak due to poor error handling.