Description |
+ |
A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. |
+ |
For the remote attack, the memory overwrite kills the main winbindd process and an authenticated attacker can construct this situation by watching for password changes in Samba. |
+ |
One specific trigger occurs when winbindd changes its machine account password and the client has still a valid Kerberos ticket (that was encrypted with the old password). |
|