An input validation error was discovered in the kadmind
code that handles the framing of Kerberos 4 compatibility
administration requests. The code assumed that the length
given in the framing was always two or more bytes. Smaller
lengths will cause kadmind to read an arbitrary amount of
data into a minimally-sized buffer on the heap.
A remote attacker may send a specially formatted message
to kadmind, causing it to crash or possibly resulting in
arbitrary code execution.
The kadmind daemon is part of Kerberos 5 support. However,
this bug will only be present if kadmind was built with
additional Kerberos 4 support. Thus, only systems that have
*both* Heimdal Kerberos 5 and Kerberos 4 installed might
be affected.
NOTE: On FreeBSD 4 systems, `kadmind' may be
installed as `k5admind'.