Skip Menu |
 

From: Sam Hartman <hartmans@debian.org>
To: krb5-bugs@mit.edu
Subject: [Felipe Ortega] Bug#621726: krb5-admin-server: kadmind dies after nmap -sV
Date: Fri, 08 Apr 2011 08:36:22 -0400
Who needs a complicated DOS?
Confirmed against 1.9 with the current round of CVEs patched.
Download (untitled)
message/rfc822 23.3KiB
Return-Path: <debbugs@busoni.debian.org>
Received: from localhost ([unix socket])
by mail.suchdamage.org (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA;
Fri, 08 Apr 2011 05:26:40 -0400
X-Sieve: CMU Sieve 2.2
Received: from dmz-mailsec-scanner-1.mit.edu (DMZ-MAILSEC-SCANNER-1.MIT.EDU
[18.9.25.12])
by mail.suchdamage.org (Postfix) with ESMTP id 0BD7920383
for <hartmans@suchdamage.org>; Fri, 8 Apr 2011 05:26:18 -0400 (EDT)
Received: from mailhub-dmz-2.mit.edu ( [18.7.62.37])
by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP
id 7A.05.18375.385DE9D4; Fri, 8 Apr 2011 05:29:39 -0400 (EDT)
Received: from dmz-mailsec-scanner-4.mit.edu (DMZ-MAILSEC-SCANNER-4.MIT.EDU
[18.9.25.15])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id p389TS4i010605
for <hartmans@mit.edu>; Fri, 8 Apr 2011 05:29:34 -0400
X-AuditID: 1209190c-b7b7aae0000047c7-5e-4d9ed583bd16
Authentication-Results: symauth.service.identifier
Received: from busoni.debian.org (busoni.debian.org [140.211.15.34])
by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP
id E1.65.18104.975DE9D4; Fri, 8 Apr 2011 05:29:29 -0400 (EDT)
Received: from debbugs by busoni.debian.org with local (Exim 4.72)
(envelope-from <debbugs@busoni.debian.org>)
id 1Q8806-0005fC-45; Fri, 08 Apr 2011 09:29:18 +0000
X-Loop: owner@bugs.debian.org
Subject: Bug#621726: krb5-admin-server: kadmind dies after nmap -sV
Reply-To: Felipe Ortega <ortegaga@gmail.com>, 621726@bugs.debian.org
Resent-From: Felipe Ortega <ortegaga@gmail.com>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: ortegaga@gmail.com, Sam Hartman <hartmans@debian.org>
X-Loop: owner@bugs.debian.org
Resent-Date: Fri, 08 Apr 2011 09:29:05 +0000
Resent-Message-ID: <handler.621726.B.130225488321536@bugs.debian.org>
X-Debian-PR-Message: report 621726
X-Debian-PR-Package: krb5-admin-server
X-Debian-PR-Keywords:
X-Debian-PR-Source: krb5
Received: via spool by submit@bugs.debian.org id=B.130225488321536
(code B ref -1); Fri, 08 Apr 2011 09:29:05 +0000
Received: (at submit) by bugs.debian.org; 8 Apr 2011 09:28:03 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.1-bugs.debian.org_2005_01_02
(2010-03-16) on busoni.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-10.9 required=4.0 tests=BAYES_00,
DKIM_ADSP_CUSTOM_MED, FOURLA, FREEMAIL_FROM, HAS_PACKAGE,
IMPRONONCABLE_1,
IMPRONONCABLE_2, MURPHY_WRONG_WORD1, MURPHY_WRONG_WORD2,
NML_ADSP_CUSTOM_MED,
SPF_NEUTRAL,XMAILER_REPORTBUG,X_DEBBUGS_CC autolearn=ham
version=3.3.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 68; hammy, 151; neutral, 316; spammy,
0. spammytokens: hammytokens:0.000-+--H*M:reportbug,
0.000-+--H*MI:reportbug,
0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--H*x:4.12.6
Received: from 89.140.6.2.static.user.ono.com ([89.140.6.2]
helo=krb01.red.isotrol.com)
by busoni.debian.org with esmtp (Exim 4.72)
(envelope-from <ortegaga@gmail.com>) id 1Q87yW-0005YO-Cn
for submit@bugs.debian.org; Fri, 08 Apr 2011 09:27:42 +0000
From: Felipe Ortega <ortegaga@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20110408092715.11035.63934.reportbug@krb01.red.isotrol.com>
X-Mailer: reportbug 4.12.6
Date: Fri, 08 Apr 2011 11:27:15 +0200
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@busoni.debian.org>
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJJsWRmVeSWpSXmKPExsUixG6nqtt8dZ6vwef3WhZf2x6wOTB6rJx6
mj2AMYrLJiU1J7MstUjfLoEro2PvOdaC91MZK3be62ZsYPxd1MXIwSEhYCKxbiaQyQlkiklc
uLeerYuRi0NIYC+jxLrZS9khnJuMEqtnbmSDqDKR2NjbzQ5iMwoYSew+94oVougso8TDxtVQ
HcsZJd4s72aCWCErceZmFUiDsICzxL3mZ2BhIQEXiS+90SBhIQF9iSPrFzBC2DoS83++g7Id
JJ7fPsWKZgpIyafZ+1ggbFeJhfNuMUKcpiTxfsppFghbTeL4pKeMMI9tb1gJdb6ExNE595gg
euskzu39xAZhO0vsvn+bEWJVpsSJZdoQ5XwSF1/8YAJ5SkJgO5PEsp4uFgjnCTCAll1lgni3
gUli4cJbLCDdzAJ+EpNeJ4N08woISpyc+QTsIDYBDYm/Zw6Cw01EwFzi9YYOtgmMarMQOmYh
6QCxmYHeXLD7ExumuLzE9rdzmCFapSWW/+MgXrmzxIylUQsYuVYxyqbkVunmJmbmFKcm6xYn
J+blpRbpGurlZpbopaaUbmIEpS1OSZ4djG8OKh1iFOBgVOLhvXlrrq8Qa2JZcWXuIUZJDiYl
Ud75V+b5CvEl5adUZiQWZ8QXleakFh9ilOBgVhLhdbMByvGmJFZWpRblw6Q0ODgEtn99sptR
iiUvPy9VSYL3HsgIwaLU9NSKtMwcYNKGKWXi4AQZxQM0avNlkFHFBYm5xZnpEPlTjJYc/6bt
38fIcWfaISD5fwuQFAIbKiXO+xFkqABIQ0ZpHtxMWI55xSgO9JAwLy8w4wjxAPMT3NRXQAuZ
gBZOOAa2sCQRISXVwCg3sX3auoPxTmukJDq9LM69/XMhv/eO9Dk2/x+tWcL9u75vqm+/0hSv
aPsgXV4iO9L89ifm3XX86rWcxuUP/jaw1ziE7m/6kO4x3S9y+bNgmaT6zofb/liX5hxNTN/Z
cWLnm2OnTdfVrDL8tnPXrQlfn9nGixVU2EnZTrINWZZf+uGftrT8SiWW4oxEQy3mouJEAOt+
+h4MBAAA
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Fri Apr 8 05:26:40 2011
X-DSPAM-Confidence: 0.9944
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 8042,4d9ed4cf58495074396392
X-DSPAM-Factors: 27, dfsg, 0.00053, dfsg, 0.00053, debconf, 0.00053,
debconf, 0.00053, Received*spool, 0.00197, krb5, 0.00197,
krb5, 0.00197, kdc, 0.00472, =+2, 0.00472, =+2, 0.00472,
Received*Messaging, 0.00634, Received*Messaging, 0.00634,
Resent-To*bugs, 0.00785, X-Spam-Bayes*score, 0.00785,
Resent-To*dist+lists.debian.org, 0.00785,
Resent-To*debian, 0.00785, Reply-To*bugs.debian.org, 0.00785,
Resent-Message-ID*bugs.debian.org>, 0.00785,
Resent-To*bugs+dist, 0.00785, Received*(at, 0.00785,
X-Spam-Bayes*new, 0.00785, Received*submit, 0.00785,
Received*submit, 0.00785,
Received*by+bugs.debian.org, 0.00785,
X-Spam-Bayes*hammy, 0.00785, X-Spam-Bayes*H, 0.00785,
Received*from+<debbugs, 0.00785
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===-=-="

--===-=-=
Content-Disposition: inline

Package: krb5-admin-server
Version: 1.8.3+dfsg-4
Severity: important


After executing a command like this:

# nmap -n -sV krb01

where krb01 is the main kerberos server (krb5kdc and kadmind running), kadmind dies silently.

I suppose nmap sends some string when trying to guess the version of the program running, and
kadmind can't parse it.

Someone could use such a tool, or inject the malformed string directly, causing a DoS.

Attached is an strace output of the kadmind process while runing nmap against the server.

-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages krb5-admin-server depends on:
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii krb5-kdc 1.8.3+dfsg-4 MIT Kerberos key server (KDC)
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libgssrpc4 1.8.3+dfsg-4 MIT Kerberos runtime libraries - G
ii libk5crypto3 1.8.3+dfsg-4 MIT Kerberos runtime libraries - C
ii libkadm5srv-mit7 1.8.3+dfsg-4 MIT Kerberos runtime libraries - K
ii libkdb5-4 1.8.3+dfsg-4 MIT Kerberos runtime libraries - K
ii libkeyutils1 1.4-1 Linux Key Management Utilities (li
ii libkrb5-3 1.8.3+dfsg-4 MIT Kerberos runtime libraries
ii libkrb5support0 1.8.3+dfsg-4 MIT Kerberos runtime libraries - S
ii libss2 1.41.12-2 command-line interface parsing lib
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip

krb5-admin-server recommends no packages.

krb5-admin-server suggests no packages.

-- debconf information:
krb5-admin-server/kadmind: true
* krb5-admin-server/newrealm:

--===-=-=
Content-Disposition: attachment; filename=nmap_kadmind_strace.txt

Process 10839 attached - interrupt to quit
select(9, [6 7 8], [], [], NULL) = 2 (in [7 8])
accept(7, {sa_family=AF_INET, sin_port=htons(60400), sin_addr=inet_addr("172.31.1.1")}, [16]) = 11
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
ioctl(11, FIONBIO, [1]) = 0
setsockopt(11, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(11, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8f5b78c000
accept(8, {sa_family=AF_INET, sin_port=htons(53524), sin_addr=inet_addr("172.31.1.1")}, [16]) = 12
fcntl(12, F_SETFD, FD_CLOEXEC) = 0
getsockname(12, {sa_family=AF_INET, sin_port=htons(749), sin_addr=inet_addr("172.31.1.2")}, [16]) = 0
fcntl(12, F_SETFD, FD_CLOEXEC) = 0
getpeername(12, {sa_family=AF_INET, sin_port=htons(53524), sin_addr=inet_addr("172.31.1.1")}, [16]) = 0
select(13, [6 7 8 11 12], [], [], NULL) = 2 (in [11 12])
read(11, "\r\n\r\n", 4) = 4
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
sendto(3, "<35>Apr 8 10:59:55 kadmind[1083"..., 101, MSG_NOSIGNAL, NULL, 0) = 101
select(13, [12], NULL, NULL, {35, 0}) = 1 (in [12], left {34, 999998})
read(12, "\r\n\r\n", 4000) = 4
select(13, [12], NULL, NULL, {35, 0}) = 1 (in [12], left {29, 995774})
read(12, "", 4000) = 0
close(12) = 0
select(12, [6 7 8], [11], [], NULL) = 3 (in [7 8], out [11])
accept(7, {sa_family=AF_INET, sin_port=htons(35026), sin_addr=inet_addr("172.31.1.1")}, [16]) = 12
fcntl(12, F_SETFD, FD_CLOEXEC) = 0
ioctl(12, FIONBIO, [1]) = 0
setsockopt(12, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(12, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8f5964d000
accept(8, {sa_family=AF_INET, sin_port=htons(34206), sin_addr=inet_addr("172.31.1.1")}, [16]) = 13
fcntl(13, F_SETFD, FD_CLOEXEC) = 0
getsockname(13, {sa_family=AF_INET, sin_port=htons(749), sin_addr=inet_addr("172.31.1.2")}, [16]) = 0
fcntl(13, F_SETFD, FD_CLOEXEC) = 0
getpeername(13, {sa_family=AF_INET, sin_port=htons(34206), sin_addr=inet_addr("172.31.1.1")}, [16]) = 0
writev(11, [{"\0\0\0_", 4}, {"~]0[\240\3\2\1\5\241\3\2\1\36\244\21\30\01720110408085955"..., 95}], 2) = 99
munmap(0x7f8f5b78c000, 1052672) = 0
close(11) = 0
select(14, [6 7 8 12 13], [], [], NULL) = 2 (in [12 13])
select(14, [13], NULL, NULL, {35, 0}) = 1 (in [13], left {34, 999998})
read(13, "GET / HTTP/1.0\r\n\r\n", 4000) = 18
select(14, [13], NULL, NULL, {35, 0}) = 1 (in [13], left {29, 998283})
read(13, "", 3998) = 0
read(12, "GET ", 4) = 4
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
sendto(3, "<35>Apr 8 11:00:05 kadmind[1083"..., 102, MSG_NOSIGNAL, NULL, 0) = 102
select(14, [6 7 8 13], [12], [], NULL) = 4 (in [7 8 13], out [12])
accept(7, {sa_family=AF_INET, sin_port=htons(35029), sin_addr=inet_addr("172.31.1.1")}, [16]) = 11
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
ioctl(11, FIONBIO, [1]) = 0
setsockopt(11, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(11, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
brk(0x2419000) = 0x2419000
accept(8, {sa_family=AF_INET, sin_port=htons(34209), sin_addr=inet_addr("172.31.1.1")}, [16]) = 14
fcntl(14, F_SETFD, FD_CLOEXEC) = 0
getsockname(14, {sa_family=AF_INET, sin_port=htons(749), sin_addr=inet_addr("172.31.1.2")}, [16]) = 0
fcntl(14, F_SETFD, FD_CLOEXEC) = 0
getpeername(14, {sa_family=AF_INET, sin_port=htons(34209), sin_addr=inet_addr("172.31.1.1")}, [16]) = 0
select(14, [13], NULL, NULL, {35, 0}) = 1 (in [13], left {34, 999998})
read(13, "", 3998) = 0
select(14, [13], NULL, NULL, {35, 0}) = 1 (in [13], left {34, 999999})
read(13, "", 3998) = 0
close(13) = 0
writev(12, [{"\0\0\0_", 4}, {"~]0[\240\3\2\1\5\241\3\2\1\36\244\21\30\01720110408090005"..., 95}], 2) = 99
munmap(0x7f8f5964d000, 1052672) = 0
close(12) = 0
select(15, [6 7 8 11 14], [], [], NULL) = 2 (in [11 14])
select(15, [14], NULL, NULL, {35, 0}) = 1 (in [14], left {34, 999999})
read(14, "OPTIONS / HTTP/1.0\r\n\r\n", 4000) = 22
select(15, [14], NULL, NULL, {35, 0}) = 1 (in [14], left {29, 998888})
read(14, "", 3998) = 0
read(11, "OPTI", 4) = 4
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
sendto(3, "<35>Apr 8 11:00:10 kadmind[1083"..., 102, MSG_NOSIGNAL, NULL, 0) = 102
select(15, [6 7 8 14], [11], [], NULL) = 4 (in [7 8 14], out [11])
accept(7, {sa_family=AF_INET, sin_port=htons(35031), sin_addr=inet_addr("172.31.1.1")}, [16]) = 12
fcntl(12, F_SETFD, FD_CLOEXEC) = 0
ioctl(12, FIONBIO, [1]) = 0
setsockopt(12, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(12, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
brk(0x251b000) = 0x251b000
accept(8, {sa_family=AF_INET, sin_port=htons(34211), sin_addr=inet_addr("172.31.1.1")}, [16]) = 13
fcntl(13, F_SETFD, FD_CLOEXEC) = 0
getsockname(13, {sa_family=AF_INET, sin_port=htons(749), sin_addr=inet_addr("172.31.1.2")}, [16]) = 0
fcntl(13, F_SETFD, FD_CLOEXEC) = 0
getpeername(13, {sa_family=AF_INET, sin_port=htons(34211), sin_addr=inet_addr("172.31.1.1")}, [16]) = 0
select(15, [14], NULL, NULL, {35, 0}) = 1 (in [14], left {34, 999998})
read(14, "", 3998) = 0
select(15, [14], NULL, NULL, {35, 0}) = 1 (in [14], left {34, 999999})
read(14, "", 3998) = 0
close(14) = 0
writev(11, [{"\0\0\0_", 4}, {"~]0[\240\3\2\1\5\241\3\2\1\36\244\21\30\01720110408090010"..., 95}], 2) = 99
close(11) = 0
select(14, [6 7 8 12 13], [], [], NULL) = 2 (in [12 13])
select(14, [13], NULL, NULL, {35, 0}) = 1 (in [13], left {34, 999999})
read(13, "OPTIONS / RTSP/1.0\r\n\r\n", 4000) = 22
select(14, [13], NULL, NULL, {35, 0}) = 1 (in [13], left {30, 368})
read(13, "", 3998) = 0
read(12, "OPTI", 4) = 4
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
sendto(3, "<35>Apr 8 11:00:15 kadmind[1083"..., 102, MSG_NOSIGNAL, NULL, 0) = 102
select(14, [6 7 8 13], [12], [], NULL) = 4 (in [7 8 13], out [12])
accept(7, {sa_family=AF_INET, sin_port=htons(35033), sin_addr=inet_addr("172.31.1.1")}, [16]) = 11
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
ioctl(11, FIONBIO, [1]) = 0
setsockopt(11, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(11, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
accept(8, {sa_family=AF_INET, sin_port=htons(34213), sin_addr=inet_addr("172.31.1.1")}, [16]) = 14
fcntl(14, F_SETFD, FD_CLOEXEC) = 0
getsockname(14, {sa_family=AF_INET, sin_port=htons(749), sin_addr=inet_addr("172.31.1.2")}, [16]) = 0
fcntl(14, F_SETFD, FD_CLOEXEC) = 0
getpeername(14, {sa_family=AF_INET, sin_port=htons(34213), sin_addr=inet_addr("172.31.1.1")}, [16]) = 0
select(14, [13], NULL, NULL, {35, 0}) = 1 (in [13], left {34, 999998})
read(13, "", 3998) = 0
select(14, [13], NULL, NULL, {35, 0}) = 1 (in [13], left {34, 999999})
read(13, "", 3998) = 0
close(13) = 0
writev(12, [{"\0\0\0_", 4}, {"~]0[\240\3\2\1\5\241\3\2\1\36\244\21\30\01720110408090015"..., 95}], 2) = 99
close(12) = 0
select(15, [6 7 8 11 14], [], [], NULL) = 2 (in [11 14])
select(15, [14], NULL, NULL, {35, 0}) = 1 (in [14], left {34, 999681})
read(14, "\200\0\0(r\376\35\23\0\0\0\0\0\0\0\2\0\1\206\240\0\1\227|\0\0\0\0\0\0\0\0"..., 4000) = 44
write(14, "\200\0\0\30r\376\35\23\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1", 28) = 28
read(11, "\200\0\0(", 4) = 4
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
sendto(3, "<35>Apr 8 11:00:15 kadmind[1083"..., 102, MSG_NOSIGNAL, NULL, 0) = 102
select(15, [6 7 8 14], [11], [], NULL) = 2 (in [14], out [11])
select(15, [14], NULL, NULL, {35, 0}) = 1 (in [14], left {34, 999998})
read(14, "", 4000) = 0
close(14) = 0
select(12, [6 7 8], [11], [], NULL) = 1 (out [11])
writev(11, [{"\0\0\0_", 4}, {"~]0[\240\3\2\1\5\241\3\2\1\36\244\21\30\01720110408090015"..., 95}], 2) = 99
brk(0x2315000) = 0x2315000
close(11) = 0
select(9, [6 7 8], [], [], NULL) = 1 (in [7])
accept(7, {sa_family=AF_INET, sin_port=htons(35035), sin_addr=inet_addr("172.31.1.1")}, [16]) = 11
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
ioctl(11, FIONBIO, [1]) = 0
setsockopt(11, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(11, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
brk(0x2415000) = 0x2415000
select(12, [6 7 8 11], [], [], NULL) = 1 (in [11])
read(11, "\0\36\0\6", 4) = 4
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
sendto(3, "<35>Apr 8 11:00:15 kadmind[1083"..., 99, MSG_NOSIGNAL, NULL, 0) = 99
select(12, [6 7 8], [11], [], NULL) = 1 (out [11])
writev(11, [{"\0\0\0_", 4}, {"~]0[\240\3\2\1\5\241\3\2\1\36\244\21\30\01720110408090015"..., 95}], 2) = 99
close(11) = 0
select(9, [6 7 8], [], [], NULL) = 1 (in [7])
accept(7, {sa_family=AF_INET, sin_port=htons(35036), sin_addr=inet_addr("172.31.1.1")}, [16]) = 11
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
ioctl(11, FIONBIO, [1]) = 0
setsockopt(11, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(11, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
select(12, [6 7 8 11], [], [], NULL) = 1 (in [11])
read(11, "\0\f\0\0", 4) = 4
select(12, [6 7 8 11], [], [], NULL) = 1 (in [11])
read(11, "\20\0\0\0\0\0\0\0\0\0", 786432) = 10
select(12, [6 7 8 11], [], [], NULL) = 1 (in [11])
read(11, "", 786422) = 0
close(11) = 0
select(9, [6 7 8], [], [], NULL) = 1 (in [7])
accept(7, {sa_family=AF_INET, sin_port=htons(35037), sin_addr=inet_addr("172.31.1.1")}, [16]) = 11
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
ioctl(11, FIONBIO, [1]) = 0
setsockopt(11, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(11, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
select(12, [6 7 8 11], [], [], NULL) = 1 (in [11])
read(11, "HELP", 4) = 4
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
sendto(3, "<35>Apr 8 11:00:20 kadmind[1083"..., 102, MSG_NOSIGNAL, NULL, 0) = 102
select(12, [6 7 8], [11], [], NULL) = 1 (out [11])
writev(11, [{"\0\0\0_", 4}, {"~]0[\240\3\2\1\5\241\3\2\1\36\244\21\30\01720110408090020"..., 95}], 2) = 99
close(11) = 0
select(9, [6 7 8], [], [], NULL) = 1 (in [7])
accept(7, {sa_family=AF_INET, sin_port=htons(35038), sin_addr=inet_addr("172.31.1.1")}, [16]) = 11
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
ioctl(11, FIONBIO, [1]) = 0
setsockopt(11, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(11, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
select(12, [6 7 8 11], [], [], NULL) = 1 (in [11])
read(11, "\26\3\0\0", 4) = 4
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2593, ...}) = 0
sendto(3, "<35>Apr 8 11:00:20 kadmind[1083"..., 101, MSG_NOSIGNAL, NULL, 0) = 101
select(12, [6 7 8], [11], [], NULL) = 1 (out [11])
writev(11, [{"\0\0\0_", 4}, {"~]0[\240\3\2\1\5\241\3\2\1\36\244\21\30\01720110408090020"..., 95}], 2) = 99
close(11) = 0
select(9, [6 7 8], [], [], NULL) = 1 (in [7])
accept(7, {sa_family=AF_INET, sin_port=htons(35039), sin_addr=inet_addr("172.31.1.1")}, [16]) = 11
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
ioctl(11, FIONBIO, [1]) = 0
setsockopt(11, SOL_SOCKET, SO_LINGER, {onoff=0, linger=0}, 8) = 0
setsockopt(11, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
select(12, [6 7 8 11], [], [], NULL) = 1 (in [11])
read(11, "\0\0\0\244", 4) = 4
select(12, [6 7 8 11], [], [], NULL) = 1 (in [11])
read(11, "\377SMBr\0\0\0\0\10\1@\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\6\0\0\1\0"..., 164) = 164
getsockname(11, {sa_family=AF_INET, sin_port=htons(464), sin_addr=inet_addr("172.31.1.2")}, [16]) = 0
sendto(3, "<35>Apr 8 11:00:20 kadmind[1083"..., 85, MSG_NOSIGNAL, NULL, 0) = 85
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such device or address)
writev(2, [{"*** glibc detected *** ", 23}, {"/usr/sbin/kadmind", 17}, {": ", 2}, {"free(): invalid pointer", 23}, {": 0x", 4}, {"00007f8f59cc2008", 16}, {" ***\n", 5}], 7) = 90
mmap(NULL, 134217728, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f8f5174e000
munmap(0x7f8f5174e000, 42672128) = 0
munmap(0x7f8f58000000, 24436736) = 0
mprotect(0x7f8f54000000, 135168, PROT_READ|PROT_WRITE) = 0
open("/etc/ld.so.cache", O_RDONLY) = 12
fstat(12, {st_mode=S_IFREG|0644, st_size=10536, ...}) = 0
mmap(NULL, 10536, PROT_READ, MAP_PRIVATE, 12, 0) = 0x7f8f5b895000
close(12) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libgcc_s.so.1", O_RDONLY) = 12
read(12, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P-\0\0\0\0\0\0"..., 832) = 832
fstat(12, {st_mode=S_IFREG|0644, st_size=90504, ...}) = 0
mmap(NULL, 2186232, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 12, 0) = 0x7f8f59538000
mprotect(0x7f8f5954e000, 2093056, PROT_NONE) = 0
mmap(0x7f8f5974d000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 12, 0x15000) = 0x7f8f5974d000
close(12) = 0
munmap(0x7f8f5b895000, 10536) = 0
futex(0x7f8f59cc4560, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f8f5974d990, FUTEX_WAKE_PRIVATE, 2147483647) = 0
write(2, "======= Backtrace: =========\n", 29) = 29
writev(2, [{"/lib/libc.so.6", 14}, {"(", 1}, {"+0x", 3}, {"71ad6", 5}, {")", 1}, {"[0x", 3}, {"7f8f599d6ad6", 12}, {"]\n", 2}], 8) = 41
writev(2, [{"/lib/libc.so.6", 14}, {"(", 1}, {"cfree", 5}, {"+0x", 3}, {"6c", 2}, {")", 1}, {"[0x", 3}, {"7f8f599db84c", 12}, {"]\n", 2}], 9) = 43
writev(2, [{"/usr/lib/libkrb5.so.3", 21}, {"(", 1}, {"krb5_free_data", 14}, {"+0x", 3}, {"12", 2}, {")", 1}, {"[0x", 3}, {"7f8f5a982422", 12}, {"]\n", 2}], 9) = 59
writev(2, [{"/usr/sbin/kadmind", 17}, {"[0x", 3}, {"40de28", 6}, {"]\n", 2}], 4) = 28
writev(2, [{"/usr/sbin/kadmind", 17}, {"[0x", 3}, {"40e0ba", 6}, {"]\n", 2}], 4) = 28
writev(2, [{"/usr/sbin/kadmind", 17}, {"[0x", 3}, {"40fa33", 6}, {"]\n", 2}], 4) = 28
writev(2, [{"/usr/sbin/kadmind", 17}, {"[0x", 3}, {"40a88f", 6}, {"]\n", 2}], 4) = 28
writev(2, [{"/lib/libc.so.6", 14}, {"(", 1}, {"__libc_start_main", 17}, {"+0x", 3}, {"fd", 2}, {")", 1}, {"[0x", 3}, {"7f8f59983c4d", 12}, {"]\n", 2}], 9) = 55
writev(2, [{"/usr/sbin/kadmind", 17}, {"[0x", 3}, {"404fc9", 6}, {"]\n", 2}], 4) = 28
write(2, "======= Memory map: ========\n", 29) = 29
open("/proc/self/maps", O_RDONLY) = 12
read(12, "00400000-00414000 r-xp 00000000 "..., 1024) = 1024
write(2, "00400000-00414000 r-xp 00000000 "..., 1024) = 1024
read(12, "p 00000000 08:01 24011 "..., 1024) = 1024
write(2, "p 00000000 08:01 24011 "..., 1024) = 1024
read(12, ".11.2.so\n7f8f5a0f4000-7f8f5a0f50"..., 1024) = 1024
write(2, ".11.2.so\n7f8f5a0f4000-7f8f5a0f50"..., 1024) = 1024
read(12, " /lib/libcom_err.so.2.1\n7f8f5a7"..., 1024) = 1024
write(2, " /lib/libcom_err.so.2.1\n7f8f5a7"..., 1024) = 1024
read(12, "w-p 00003000 08:01 24010 "..., 1024) = 1024
write(2, "w-p 00003000 08:01 24010 "..., 1024) = 1024
read(12, " /usr/lib/libkadm"..., 1024) = 972
write(2, " /usr/lib/libkadm"..., 972) = 972
read(12, "", 1024) = 0
close(12) = 0
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
tgkill(10839, 10839, SIGABRT) = 0
--- SIGABRT (Aborted) @ 0 (0) ---
Process 10839 detached

--===-=-=--
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #6899] [Felipe Ortega] Bug#621726: krb5-admin-server: kadmind dies after nmap -sV
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 08 Apr 2011 09:47:13 -0400
RT-Send-Cc:
Any way we can get a more detailed backtrace, preferably including
debugging information / line numbers?
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #6899] [Felipe Ortega] Bug#621726: krb5-admin-server: kadmind dies after nmap -sV
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 08 Apr 2011 16:26:06 -0400
RT-Send-Cc:
Also, I can't seem to reproduce this problem against trunk; will try
with 1.8 branch next.
From: Sam Hartman <hartmans@debian.org>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6899] [Felipe Ortega] Bug#621726: krb5-admin-server: kadmind dies after nmap -sV
Date: Sun, 10 Apr 2011 14:22:42 -0400
RT-Send-Cc:
Show quoted text
>>>>> "Tom" == Tom Yu via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text
Tom> Also, I can't seem to reproduce this problem against trunk;
Tom> will try with 1.8 branch next.

I can definitely reproduce against 1.9.
Dies in krb5_free_data with a segv.
I don't have any changes to libgssrpc, kadmind or the network server
code.
I don't have full symbols available.
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #6899] [Felipe Ortega] Bug#621726: krb5-admin-server: kadmind dies after nmap -sV
From: Tom Yu <tlyu@MIT.EDU>
Date: Sun, 10 Apr 2011 15:02:05 -0400
RT-Send-Cc:
"Sam Hartman via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
>>>>>> "Tom" == Tom Yu via RT <rt-comment@krbdev.mit.edu> writes:
>
> Tom> Also, I can't seem to reproduce this problem against trunk;
> Tom> will try with 1.8 branch next.
>
> I can definitely reproduce against 1.9.
> Dies in krb5_free_data with a segv.
> I don't have any changes to libgssrpc, kadmind or the network server
> code.
> I don't have full symbols available.

I have a candidate bug location, and it involves the kpasswd
component, not the kadmin protocol itself. Patches coming soon.
From: tlyu@mit.edu
Subject: SVN Commit

Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response. This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().

Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.

https://github.com/krb5/krb5/commit/e88f857c3680ea395c0bed6a82862d8ea1177221
Commit By: tlyu
Revision: 24878
Changed Files:
U trunk/src/kadmin/server/schpw.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r24878 from trunk

------------------------------------------------------------------------
r24878 | tlyu | 2011-04-13 14:43:37 -0400 (Wed, 13 Apr 2011) | 11 lines

ticket: 6899
tags: pullup
target_version: 1.9.1

Fix the sole case in process_chpw_request() where a return could occur
without allocating the data pointer in the response. This prevents a
later free() of an invalid pointer in kill_tcp_or_rpc_connection().

Also initialize rep->data to NULL in process_chpw_request() and clean
up *response in dispatch() as an additional precaution.

https://github.com/krb5/krb5/commit/01c082c11ac24e813ada11d76b7916c95a53f21f
Commit By: tlyu
Revision: 24879
Changed Files:
U branches/krb5-1-9/src/kadmin/server/schpw.c