I suspect this bug can also be exploited remotely to crash kadmind.

 

From: Richard Basch [mailto:basch@alum.mit.edu]
Sent: Monday, May 28, 2012 11:59 PM
To: 'krb5-bugs@mit.edu'; 'krbdev@mit.edu'
Subject: krb5-1.10.1 - SIGSEGV (kadmin.local)

 

The following will cause a SIGSEGV:

 

cat <<EOF | kadmin.local

addprinc -randkey -policy local -allow_tix -allow_tgs_req test/foo

EOF

 

The following is the offending code which is causing the issue (and the fix is simply not to dereference a null pointer):

 

diff -ru src.orig/lib/kadm5/srv/svr_principal.c src/lib/kadm5/srv/svr_principal.c

--- src.orig/lib/kadm5/srv/svr_principal.c      2011-09-21 12:29:00.000000000 -0400

+++ src/lib/kadm5/srv/svr_principal.c   2012-05-28 23:49:10.000000000 -0400

@@ -187,7 +187,7 @@

     char *password = *passptr;

 

     /* Old-style randkey operations disallowed tickets to start. */

-    if (!(mask & KADM5_ATTRIBUTES) ||

+    if (!password || !(mask & KADM5_ATTRIBUTES) ||

         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))

         return;