From krb5-bugs-incoming-bounces@mit.edu Thu Apr 29 18:29:20 2004
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id SAA05074; Thu, 29 Apr 2004 18:29:19 -0400 (EDT)
Received: from pch.mit.edu (localhost [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TMTJos012983
for <krb5-send-pr@krbdev.mit.edu>; Thu, 29 Apr 2004 18:29:19 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3RMbjos014847
for <krb5-bugs-incoming@PCH.mit.edu>;
Tue, 27 Apr 2004 18:37:45 -0400 (EDT)
Received: from mailgate02.slac.stanford.edu (mailgate02.slac.stanford.edu
[134.79.18.92])i3RMbiZW012897
for <krb5-bugs@mit.edu>; Tue, 27 Apr 2004 18:37:44 -0400 (EDT)
Received: from telemark.slac.stanford.edu (telemark.slac.stanford.edu
[134.79.24.241])i3RMbhgR023819
for <krb5-bugs@mit.edu>; Tue, 27 Apr 2004 15:37:43 -0700 (PDT)
(envelope-from bbense@slac.stanford.edu)
Received: (from bbense@localhost)i3RMbhD8031760;
Tue, 27 Apr 2004 15:37:43 -0700
Date: Tue, 27 Apr 2004 15:37:43 -0700
From: Booker Bense <bbense@slac.stanford.edu>
Message-Id: <200404272237.i3RMbhD8031760@telemark.slac.stanford.edu>
To: krb5-bugs@mit.edu
X-send-pr-version: 3.99
X-Mailman-Approved-At: Thu, 29 Apr 2004 17:36:14 -0400
X-BeenThere: krb5-bugs-incoming@mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: bbense@slac.stanford.edu
Sender: krb5-bugs-incoming-bounces@mit.edu
Errors-To: krb5-bugs-incoming-bounces@mit.edu
System: Linux telemark 2.4.21-9.0.1.EL #1 Mon Feb 9 22:44:14 EST 2004 i686 i686 i386 GNU/Linux
Architecture: i686
The function mit_des_string_to_key_int contains this work around
for use with converted AFS keys in a Heimdal KDC.
if (salt->length == SALT_TYPE_AFS_LENGTH || salt->length == (unsigned) -1) {
krb5_data salt2;
char *c;
c = strchr(salt->data, '@');
if (c != NULL) *c = '\0'; /* workaround from krb5-clients/1146 */
salt2.data = salt->data;
salt2.length = strlen (salt2.data);
/* cheat and do AFS string2key instead */
return mit_afs_string_to_key (keyblock, data, &salt2);
However, this code incorrectly computes the length of the salt2 if
the '@' is missing from the original salt data. In fact there is no
guarantee that strlen is going to return anything but garbage. There
is the potential for a buffer overflow in this code.
Unfortunately, due to the extremely brain-damaged solution of using a
length field as a data type flag, there is no quick and simple solution
to this problem.
Use a password of longer than 8 chars with an AFS string_to_key
algorithm.
Obviously, if there are other key salt type available this
problem goes away. Changing your password after conversion is one
work around. As far as fixing the actual code itself, this would require
significant reworking of the libraries. At a minimum you should
add some sanity checks before calling strlen, it also would be a
good idea to check the result of strchr as well.
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id SAA05074; Thu, 29 Apr 2004 18:29:19 -0400 (EDT)
Received: from pch.mit.edu (localhost [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TMTJos012983
for <krb5-send-pr@krbdev.mit.edu>; Thu, 29 Apr 2004 18:29:19 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3RMbjos014847
for <krb5-bugs-incoming@PCH.mit.edu>;
Tue, 27 Apr 2004 18:37:45 -0400 (EDT)
Received: from mailgate02.slac.stanford.edu (mailgate02.slac.stanford.edu
[134.79.18.92])i3RMbiZW012897
for <krb5-bugs@mit.edu>; Tue, 27 Apr 2004 18:37:44 -0400 (EDT)
Received: from telemark.slac.stanford.edu (telemark.slac.stanford.edu
[134.79.24.241])i3RMbhgR023819
for <krb5-bugs@mit.edu>; Tue, 27 Apr 2004 15:37:43 -0700 (PDT)
(envelope-from bbense@slac.stanford.edu)
Received: (from bbense@localhost)i3RMbhD8031760;
Tue, 27 Apr 2004 15:37:43 -0700
Date: Tue, 27 Apr 2004 15:37:43 -0700
From: Booker Bense <bbense@slac.stanford.edu>
Message-Id: <200404272237.i3RMbhD8031760@telemark.slac.stanford.edu>
To: krb5-bugs@mit.edu
X-send-pr-version: 3.99
X-Mailman-Approved-At: Thu, 29 Apr 2004 17:36:14 -0400
X-BeenThere: krb5-bugs-incoming@mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: bbense@slac.stanford.edu
Sender: krb5-bugs-incoming-bounces@mit.edu
Errors-To: krb5-bugs-incoming-bounces@mit.edu
Show quoted text
>Submitter-Id: net
>Originator: Booker Bense
>Organization: Stanford Linear Accellerator
>Confidential: no
>Synopsis: AFS string_to_key broken for passwords > 8 chars
>Severity: serious
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: krb5-1.3.3
>Environment: Mac OSX,
>Originator: Booker Bense
>Organization: Stanford Linear Accellerator
>Confidential: no
>Synopsis: AFS string_to_key broken for passwords > 8 chars
>Severity: serious
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: krb5-1.3.3
>Environment: Mac OSX,
System: Linux telemark 2.4.21-9.0.1.EL #1 Mon Feb 9 22:44:14 EST 2004 i686 i686 i386 GNU/Linux
Architecture: i686
Show quoted text
>Description:
The function mit_des_string_to_key_int contains this work around
for use with converted AFS keys in a Heimdal KDC.
if (salt->length == SALT_TYPE_AFS_LENGTH || salt->length == (unsigned) -1) {
krb5_data salt2;
char *c;
c = strchr(salt->data, '@');
if (c != NULL) *c = '\0'; /* workaround from krb5-clients/1146 */
salt2.data = salt->data;
salt2.length = strlen (salt2.data);
/* cheat and do AFS string2key instead */
return mit_afs_string_to_key (keyblock, data, &salt2);
However, this code incorrectly computes the length of the salt2 if
the '@' is missing from the original salt data. In fact there is no
guarantee that strlen is going to return anything but garbage. There
is the potential for a buffer overflow in this code.
Unfortunately, due to the extremely brain-damaged solution of using a
length field as a data type flag, there is no quick and simple solution
to this problem.
Show quoted text
>How-To-Repeat:
Use a password of longer than 8 chars with an AFS string_to_key
algorithm.
Show quoted text
>Fix:
Obviously, if there are other key salt type available this
problem goes away. Changing your password after conversion is one
work around. As far as fixing the actual code itself, this would require
significant reworking of the libraries. At a minimum you should
add some sanity checks before calling strlen, it also would be a
good idea to check the result of strchr as well.