Skip Menu |
 

Date: Mon, 28 May 2012 23:59:02 -0400
From: Richard Basch <basch@alum.mit.edu>
Subject: krb5-1.10.1 - SIGSEGV (kadmin.local)
To: krb5-bugs@mit.edu, krbdev@mit.edu

The following will cause a SIGSEGV:

 

cat <<EOF | kadmin.local

addprinc -randkey -policy local -allow_tix -allow_tgs_req test/foo

EOF

 

The following is the offending code which is causing the issue (and the fix is simply not to dereference a null pointer):

 

diff -ru src.orig/lib/kadm5/srv/svr_principal.c src/lib/kadm5/srv/svr_principal.c

--- src.orig/lib/kadm5/srv/svr_principal.c      2011-09-21 12:29:00.000000000 -0400

+++ src/lib/kadm5/srv/svr_principal.c   2012-05-28 23:49:10.000000000 -0400

@@ -187,7 +187,7 @@

     char *password = *passptr;

 

     /* Old-style randkey operations disallowed tickets to start. */

-    if (!(mask & KADM5_ATTRIBUTES) ||

+    if (!password || !(mask & KADM5_ATTRIBUTES) ||

         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))

         return;

 

Date: Tue, 29 May 2012 00:03:53 -0400
From: Richard Basch <basch@alum.mit.edu>
Subject: RE: krb5-1.10.1 - SIGSEGV (kadmin.local)
To: krb5-bugs@mit.edu
CC: richard.basch@gs.com

I suspect this bug can also be exploited remotely to crash kadmind.

 

From: Richard Basch [mailto:basch@alum.mit.edu]
Sent: Monday, May 28, 2012 11:59 PM
To: 'krb5-bugs@mit.edu'; 'krbdev@mit.edu'
Subject: krb5-1.10.1 - SIGSEGV (kadmin.local)

 

The following will cause a SIGSEGV:

 

cat <<EOF | kadmin.local

addprinc -randkey -policy local -allow_tix -allow_tgs_req test/foo

EOF

 

The following is the offending code which is causing the issue (and the fix is simply not to dereference a null pointer):

 

diff -ru src.orig/lib/kadm5/srv/svr_principal.c src/lib/kadm5/srv/svr_principal.c

--- src.orig/lib/kadm5/srv/svr_principal.c      2011-09-21 12:29:00.000000000 -0400

+++ src/lib/kadm5/srv/svr_principal.c   2012-05-28 23:49:10.000000000 -0400

@@ -187,7 +187,7 @@

     char *password = *passptr;

 

     /* Old-style randkey operations disallowed tickets to start. */

-    if (!(mask & KADM5_ATTRIBUTES) ||

+    if (!password || !(mask & KADM5_ATTRIBUTES) ||

         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))

         return;

 

From: ghudson@mit.edu
Subject: SVN Commit

Null pointer deref in kadmind [CVE-2012-1013]

The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.

CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

[ghudson@mit.edu: Minor style change and commit message]

https://github.com/krb5/krb5/commit/c5be6209311d4a8f10fda37d0d3f876c1b33b77b
Author: Richard Basch <basch@alum.mit.edu>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: c5be6209311d4a8f10fda37d0d3f876c1b33b77b
Branch: master
src/lib/kadm5/srv/svr_principal.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: SVN Commit

Null pointer deref in kadmind [CVE-2012-1013]

The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.

CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

[ghudson@mit.edu: Minor style change and commit message]

(cherry picked from commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b)

https://github.com/krb5/krb5/commit/ca2909440015d33be42e77d1955194963d8c0955
Author: Richard Basch <basch@alum.mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: ca2909440015d33be42e77d1955194963d8c0955
Branch: krb5-1.10
src/lib/kadm5/srv/svr_principal.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)