Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 3391 From krb5-bugs-incoming-bounces@mit.edu Thu Apr 29 18:29:20 2004 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id SAA05074; Thu, 29 Apr 2004 18:29:19 -0400 (EDT) Received: from pch.mit.edu (localhost [127.0.0.1]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TMTJos012983 for ; Thu, 29 Apr 2004 18:29:19 -0400 (EDT) Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3RMbjos014847 for ; Tue, 27 Apr 2004 18:37:45 -0400 (EDT) Received: from mailgate02.slac.stanford.edu (mailgate02.slac.stanford.edu [134.79.18.92])i3RMbiZW012897 for ; Tue, 27 Apr 2004 18:37:44 -0400 (EDT) Received: from telemark.slac.stanford.edu (telemark.slac.stanford.edu [134.79.24.241])i3RMbhgR023819 for ; Tue, 27 Apr 2004 15:37:43 -0700 (PDT) (envelope-from bbense@slac.stanford.edu) Received: (from bbense@localhost)i3RMbhD8031760; Tue, 27 Apr 2004 15:37:43 -0700 Date: Tue, 27 Apr 2004 15:37:43 -0700 From: Booker Bense Message-Id: <200404272237.i3RMbhD8031760@telemark.slac.stanford.edu> To: krb5-bugs@mit.edu X-send-pr-version: 3.99 X-Mailman-Approved-At: Thu, 29 Apr 2004 17:36:14 -0400 X-BeenThere: krb5-bugs-incoming@mit.edu X-Mailman-Version: 2.1 Precedence: list Reply-To: bbense@slac.stanford.edu Sender: krb5-bugs-incoming-bounces@mit.edu Errors-To: krb5-bugs-incoming-bounces@mit.edu >Submitter-Id: net >Originator: Booker Bense >Organization: Stanford Linear Accellerator >Confidential: no >Synopsis: AFS string_to_key broken for passwords > 8 chars >Severity: serious >Priority: medium >Category: krb5-libs >Class: sw-bug >Release: krb5-1.3.3 >Environment: Mac OSX, System: Linux telemark 2.4.21-9.0.1.EL #1 Mon Feb 9 22:44:14 EST 2004 i686 i686 i386 GNU/Linux Architecture: i686 >Description: The function mit_des_string_to_key_int contains this work around for use with converted AFS keys in a Heimdal KDC. if (salt->length == SALT_TYPE_AFS_LENGTH || salt->length == (unsigned) -1) { krb5_data salt2; char *c; c = strchr(salt->data, '@'); if (c != NULL) *c = '\0'; /* workaround from krb5-clients/1146 */ salt2.data = salt->data; salt2.length = strlen (salt2.data); /* cheat and do AFS string2key instead */ return mit_afs_string_to_key (keyblock, data, &salt2); However, this code incorrectly computes the length of the salt2 if the '@' is missing from the original salt data. In fact there is no guarantee that strlen is going to return anything but garbage. There is the potential for a buffer overflow in this code. Unfortunately, due to the extremely brain-damaged solution of using a length field as a data type flag, there is no quick and simple solution to this problem. >How-To-Repeat: Use a password of longer than 8 chars with an AFS string_to_key algorithm. >Fix: Obviously, if there are other key salt type available this problem goes away. Changing your password after conversion is one work around. As far as fixing the actual code itself, this would require significant reworking of the libraries. At a minimum you should add some sanity checks before calling strlen, it also would be a good idea to check the result of strchr as well.