RT RT/krbdev.mit.edu: Ticket #7152 Null pointer deref in kadmind [CVE-2012-1013] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7152
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Version_reported
Version_Fixed
  • 1.10.2
Target_Version
  • 1.10.2
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 7168: (tlyu) Null pointer deref in kadmind [CVE-2012-1013] [resolved]
  • 7178: (tlyu) Null pointer deref in kadmind [CVE-2012-1013] [resolved]
 
 Dates  
Created: Tue May 29 13:52:08 2012
Starts: Not set
Started: Tue May 29 14:12:42 2012
Last Contact: Tue May 29 19:19:01 2012
Due: Not set
Updated: Tue May 29 19:19:01 2012 by tlyu
 

 People  
Owner
 ghudson
Requestors
 basch@alum.mit.edu
Cc
 
AdminCc
 
 

 More about Richard Basch  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Tue May 29 13:52:09 2012  basch@alum.mit.edu - Ticket 7153: Ticket created    
     
Date: Mon, 28 May 2012 23:59:02 -0400
From: Richard Basch <basch@alum.mit.edu>
Subject: krb5-1.10.1 - SIGSEGV (kadmin.local)
To: krb5-bugs@mit.edu, krbdev@mit.edu

 

     
The following will cause a SIGSEGV:



cat <<EOF | kadmin.local

addprinc -randkey -policy local -allow_tix -allow_tgs_req test/foo

EOF



The following is the offending code which is causing the issue (and the fix
is simply not to dereference a null pointer):



diff -ru src.orig/lib/kadm5/srv/svr_principal.c
src/lib/kadm5/srv/svr_principal.c

--- src.orig/lib/kadm5/srv/svr_principal.c      2011-09-21
12:29:00.000000000 -0400

+++ src/lib/kadm5/srv/svr_principal.c   2012-05-28 23:49:10.000000000 -0400

@@ -187,7 +187,7 @@

     char *password = *passptr;



     /* Old-style randkey operations disallowed tickets to start. */

-    if (!(mask & KADM5_ATTRIBUTES) ||

+    if (!password || !(mask & KADM5_ATTRIBUTES) ||

         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))

         return;




Download (untitled) 814b
     
 
Download (untitled) 3.8k
      Tue May 29 13:52:09 2012  basch@alum.mit.edu - Ticket created    
     
Date: Tue, 29 May 2012 00:03:53 -0400
From: Richard Basch <basch@alum.mit.edu>
Subject: RE: krb5-1.10.1 - SIGSEGV (kadmin.local)
To: krb5-bugs@mit.edu
CC: richard.basch@gs.com

 

     
I suspect this bug can also be exploited remotely to crash kadmind.



From: Richard Basch [mailto:basch@alum.mit.edu]
Sent: Monday, May 28, 2012 11:59 PM
To: 'krb5-bugs@mit.edu'; 'krbdev@mit.edu'
Subject: krb5-1.10.1 - SIGSEGV (kadmin.local)



The following will cause a SIGSEGV:



cat <<EOF | kadmin.local

addprinc -randkey -policy local -allow_tix -allow_tgs_req test/foo

EOF



The following is the offending code which is causing the issue (and the fix
is simply not to dereference a null pointer):



diff -ru src.orig/lib/kadm5/srv/svr_principal.c
src/lib/kadm5/srv/svr_principal.c

--- src.orig/lib/kadm5/srv/svr_principal.c      2011-09-21
12:29:00.000000000 -0400

+++ src/lib/kadm5/srv/svr_principal.c   2012-05-28 23:49:10.000000000 -0400

@@ -187,7 +187,7 @@

     char *password = *passptr;



     /* Old-style randkey operations disallowed tickets to start. */

-    if (!(mask & KADM5_ATTRIBUTES) ||

+    if (!password || !(mask & KADM5_ATTRIBUTES) ||

         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))

         return;




Download (untitled) 1k
     
 
Download (untitled) 4.7k
      Tue May 29 14:10:26 2012  tlyu - Ticket 7153: Ticket 7153 MergedInto ticket 7152.    
      Tue May 29 14:12:42 2012  ghudson - Given to ghudson    
      Tue May 29 14:12:42 2012  ghudson - Target_Version 1.10.2 added    
      Tue May 29 14:12:42 2012  ghudson - Status changed from new to review    
      Tue May 29 14:12:42 2012  ghudson - Tags pullup added    
      Tue May 29 14:12:42 2012  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: SVN Commit


Null pointer deref in kadmind [CVE-2012-1013]

The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name").  Only clients authorized to create principals can trigger the
bug.  Fix the bug by testing for a null password in check_1_6_dummy.

CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

[ghudson@mit.edu: Minor style change and commit message]

https://github.com/krb5/krb5/commit/c5be6209311d4a8f10fda37d0d3f876c1b33b77b
Author: Richard Basch <basch@alum.mit.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: c5be6209311d4a8f10fda37d0d3f876c1b33b77b
Branch: master
 src/lib/kadm5/srv/svr_principal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


Download (untitled) 830b
      Tue May 29 16:15:48 2012  tlyu - Subject changed from RE: krb5-1.10.1 - SIGSEGV (kadmin.local) to Null pointer deref in kadmind [CVE-2012-1013]    
      Tue May 29 19:19:01 2012  tlyu - Status changed from review to resolved    
      Tue May 29 19:19:01 2012  tlyu - Version_Fixed 1.10.2 added    
      Tue May 29 19:19:01 2012  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit


Null pointer deref in kadmind [CVE-2012-1013]

The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name").  Only clients authorized to create principals can trigger the
bug.  Fix the bug by testing for a null password in check_1_6_dummy.

CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

[ghudson@mit.edu: Minor style change and commit message]

(cherry picked from commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b)

https://github.com/krb5/krb5/commit/ca2909440015d33be42e77d1955194963d8c0955
Author: Richard Basch <basch@alum.mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: ca2909440015d33be42e77d1955194963d8c0955
Branch: krb5-1.10
 src/lib/kadm5/srv/svr_principal.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


Download (untitled) 895b