From krb5-bugs-incoming-bounces@mit.edu Thu Apr 29 18:29:58 2004 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id SAA05092; Thu, 29 Apr 2004 18:29:58 -0400 (EDT) Received: from pch.mit.edu (localhost [127.0.0.1]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TMTvos013003 for ; Thu, 29 Apr 2004 18:29:57 -0400 (EDT) Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TJXMos008869 for ; Thu, 29 Apr 2004 15:33:22 -0400 (EDT) Received: from mailgate01.slac.stanford.edu (mailgate01.slac.stanford.edu [134.79.18.80])i3TJXKuh019411 for ; Thu, 29 Apr 2004 15:33:20 -0400 (EDT) Received: from telemark.slac.stanford.edu (telemark.slac.stanford.edu [134.79.24.241])i3TJXI5S013781 for ; Thu, 29 Apr 2004 12:33:18 -0700 (PDT) (envelope-from bbense@slac.stanford.edu) Date: Thu, 29 Apr 2004 12:33:18 -0700 (PDT) From: Booker Bense To: krb5-bugs@mit.edu Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Thu, 29 Apr 2004 17:36:14 -0400 Subject: Bug in AFS string_to_key X-BeenThere: krb5-bugs-incoming@mit.edu X-Mailman-Version: 2.1 Precedence: list Sender: krb5-bugs-incoming-bounces@mit.edu Errors-To: krb5-bugs-incoming-bounces@mit.edu - My apologies if you've seen this already. I didn't see it in the krb5-bugs archive and I sent it via krb5-send-pr two days ago. >Submitter-Id: net >Originator: Booker Bense >Organization: Stanford Linear Accellerator >Confidential: no >Synopsis: AFS string_to_key broken for passwords > 8 chars >Severity: serious >Priority: medium >Category: krb5 libraries >Class: sw-bug >Release: krb5-1.3.3 >Environment: Mac OSX, System: Linux telemark 2.4.21-9.0.1.EL #1 Mon Feb 9 22:44:14 EST 2004 i686 i686 i386 GNU/Linux Architecture: i686 >Description: The function mit_des_string_to_key_int contains this work around for use with converted AFS keys in a Heimdal KDC. if (salt->length == SALT_TYPE_AFS_LENGTH || salt->length == (unsigned) -1) { krb5_data salt2; char *c; c = strchr(salt->data, '@'); if (c != NULL) *c = '\0'; /* workaround from krb5-clients/1146 */ salt2.data = salt->data; salt2.length = strlen (salt2.data); /* cheat and do AFS string2key instead */ return mit_afs_string_to_key (keyblock, data, &salt2); However, this code incorrectly computes the length of the salt2 if the '@' is missing from the original salt data. In fact there is no guarantee that strlen is going to return anything but garbage. There is the potential for a buffer overflow in this code, or at least random memory corruption. Unfortunately, due to the extremely brain-damaged solution of using a length field as a data type flag, there is no quick and simple solution to this problem. >How-To-Repeat: Use a password of longer than 8 chars with an AFS string_to_key algorithm. >Fix: Obviously, if there are other key salt type available this problem goes away. Changing your password after conversion is one work around. As far as fixing the actual code itself, this would require significant reworking of the libraries. At a minimum you should and some sanity checks before calling strlen, it also would be a good idea to check the result of strchr as well.