RT RT/krbdev.mit.edu: Ticket #7980 LDAP key data segmentation buffer overflow [CVE-2014-4345] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7980
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Version_reported
Version_Fixed
  • 1.12.2
Target_Version
  • 1.12.2
Tags
  • pullup
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Thu Aug 7 18:20:44 2014
Starts: Not set
Started: Thu Aug 7 18:20:44 2014
Last Contact: Thu Aug 7 18:39:54 2014
Due: Not set
Updated: Thu Aug 7 18:39:54 2014 by tlyu
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Thu Aug  7 18:20:44 2014  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: git commit


Fix LDAP key data segmentation [CVE-2014-4345]

For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno.  As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values.  Fix the loop to use
the correct kvno value.

CVE-2014-4345:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations.  An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present.  After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array.  The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.

Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated.  Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.

    CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: clarified commit message]
[kaduk@mit.edu: CVE summary, CVSSv2 vector]

https://github.com/krb5/krb5/commit/81c332e29f10887c6b9deb065f81ba259f4c7e03
Author: Tomas Kuthan <tkuthan@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 81c332e29f10887c6b9deb065f81ba259f4c7e03
Branch: master
 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)


Download (untitled) 2k
      Thu Aug  7 18:20:44 2014  ghudson - Requestor ghudson@mit.edu added    
      Thu Aug  7 18:20:44 2014  ghudson - Status changed from new to review    
      Thu Aug  7 18:20:44 2014  ghudson - Tags pullup added    
      Thu Aug  7 18:20:44 2014  ghudson - Target_Version 1.12.2 added    
      Thu Aug  7 18:20:45 2014  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: git commit


Add regression test for LDAP key fencepost bug

https://github.com/krb5/krb5/commit/0d78da225612e13d0b1cf515987305535d2f9dce
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0d78da225612e13d0b1cf515987305535d2f9dce
Branch: master
 src/tests/t_kdb.py |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)


Download (untitled) 318b
      Thu Aug  7 18:21:20 2014  ghudson - Subject changed from Fix LDAP key data segmentation [CVE-2014-4345] to LDAP key data segmentation buffer overflow [CVE-2014-4345]    
      Thu Aug  7 18:39:53 2014  tlyu - Status changed from review to resolved    
      Thu Aug  7 18:39:53 2014  tlyu - Version_Fixed 1.12.2 added    
      Thu Aug  7 18:39:53 2014  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Fix LDAP key data segmentation [CVE-2014-4345]

For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno.  As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values.  Fix the loop to use
the correct kvno value.

CVE-2014-4345:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations.  An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present.  After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array.  The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.

Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated.  Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.

    CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

[ghudson@mit.edu: clarified commit message]
[kaduk@mit.edu: CVE summary, CVSSv2 vector]

(cherry picked from commit 81c332e29f10887c6b9deb065f81ba259f4c7e03)

https://github.com/krb5/krb5/commit/dc7ed55c689d57de7f7408b34631bf06fec9dab1
Author: Tomas Kuthan <tkuthan@gmail.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: dc7ed55c689d57de7f7408b34631bf06fec9dab1
Branch: krb5-1.12
 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)


Download (untitled) 2k
      Thu Aug  7 18:39:54 2014  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Add regression test for LDAP key fencepost bug

(cherry picked from commit 0d78da225612e13d0b1cf515987305535d2f9dce)

https://github.com/krb5/krb5/commit/78a7f2a02b82bf297817cd717f092ead40b575b2
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 78a7f2a02b82bf297817cd717f092ead40b575b2
Branch: krb5-1.12
 src/tests/t_kdb.py |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)


Download (untitled) 424b