Skip Menu |
 

From: tlyu@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.8KiB

KDC null deref due to referrals [CVE-2013-1417]

An authenticated remote client can cause a KDC to crash by making a
valid TGS-REQ to a KDC serving a realm with a single-component name.
The process_tgs_req() function dereferences a null pointer because an
unusual failure condition causes a helper function to return success.

While attempting to provide cross-realm referrals for host-based
service principals, the find_referral_tgs() function could return a
TGS principal for a zero-length realm name (indicating that the
hostname in the service principal has no known realm associated with
it).

Subsequently, the find_alternate_tgs() function would attempt to
construct a path to this empty-string realm, and return success along
with a null pointer in its output parameter. This happens because
krb5_walk_realm_tree() returns a list of length one when it attempts
to construct a transit path between a single-component realm and the
empty-string realm. This list causes a loop in find_alternate_tgs()
to iterate over zero elements, resulting in the unexpected output of a
null pointer, which process_tgs_req() proceeds to dereference because
there is no error condition.

Add an error condition to find_referral_tgs() when
krb5_get_host_realm() returns an empty realm name. Also add an error
condition to find_alternate_tgs() to handle the length-one output from
krb5_walk_realm_tree().

The vulnerable configuration is not likely to arise in practice.
(Realm names that have a single component are likely to be test
realms.) Releases prior to krb5-1.11 are not vulnerable.

Thanks to Sol Jerome for reporting this problem.

CVSSv2: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

https://github.com/krb5/krb5/commit/3c7f1c21ffaaf6c90f1045f0f5440303c766acc0
Author: Tom Yu <tlyu@mit.edu>
Commit: 3c7f1c21ffaaf6c90f1045f0f5440303c766acc0
Branch: master
src/kdc/do_tgs_req.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.9KiB

KDC null deref due to referrals [CVE-2013-1417]

An authenticated remote client can cause a KDC to crash by making a
valid TGS-REQ to a KDC serving a realm with a single-component name.
The process_tgs_req() function dereferences a null pointer because an
unusual failure condition causes a helper function to return success.

While attempting to provide cross-realm referrals for host-based
service principals, the find_referral_tgs() function could return a
TGS principal for a zero-length realm name (indicating that the
hostname in the service principal has no known realm associated with
it).

Subsequently, the find_alternate_tgs() function would attempt to
construct a path to this empty-string realm, and return success along
with a null pointer in its output parameter. This happens because
krb5_walk_realm_tree() returns a list of length one when it attempts
to construct a transit path between a single-component realm and the
empty-string realm. This list causes a loop in find_alternate_tgs()
to iterate over zero elements, resulting in the unexpected output of a
null pointer, which process_tgs_req() proceeds to dereference because
there is no error condition.

Add an error condition to find_referral_tgs() when
krb5_get_host_realm() returns an empty realm name. Also add an error
condition to find_alternate_tgs() to handle the length-one output from
krb5_walk_realm_tree().

The vulnerable configuration is not likely to arise in practice.
(Realm names that have a single component are likely to be test
realms.) Releases prior to krb5-1.11 are not vulnerable.

Thanks to Sol Jerome for reporting this problem.

CVSSv2: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

(cherry picked from commit 3c7f1c21ffaaf6c90f1045f0f5440303c766acc0)

https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc
Author: Tom Yu <tlyu@mit.edu>
Commit: 4c023ba43c16396f0d199e2df1cfa59b88b62acc
Branch: krb5-1.11
src/kdc/do_tgs_req.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
Nalin found a (non-security relevant) bug with this patch; see ticket #7881.