Ticket History #8273: Fix IAKERB context export/import [CVE-2015-2698]

Fix IAKERB context export/import [CVE-2015-2698]

The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory. Fix the regression by properly
dereferencing the context_handle pointer before casting it.

Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context. Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.

CVE-2015-2698:

In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.

CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd
Author: Greg Hudson <ghudson@mit.edu>
Commit: 3db8dfec1ef50ddd78d6ba9503185995876a39fd
Branch: master
src/lib/gssapi/krb5/gssapiP_krb5.h | 5 ++++
src/lib/gssapi/krb5/gssapi_krb5.c | 2 +-
src/lib/gssapi/krb5/iakerb.c | 42 ++++++++++++++++++++++++++++++------
3 files changed, 41 insertions(+), 8 deletions(-)

Add test coverage for GSS context export/import

Pass the -export flag to gss-server in t_gss_sample.py, in order to
test context export and import for each of the mechanisms.

https://github.com/krb5/krb5/commit/bee2d867248b24c627da4c2ef270c8de15fd96f9
Author: Greg Hudson <ghudson@mit.edu>
Commit: bee2d867248b24c627da4c2ef270c8de15fd96f9
Branch: master
src/appl/gss-sample/t_gss_sample.py | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)

Fix IAKERB context export/import [CVE-2015-2698]

The patches for CVE-2015-2696 contained a regression in the newly
added IAKERB iakerb_gss_export_sec_context() function, which could
cause it to corrupt memory. Fix the regression by properly
dereferencing the context_handle pointer before casting it.

Also, the patches did not implement an IAKERB gss_import_sec_context()
function, under the erroneous belief that an exported IAKERB context
would be tagged as a krb5 context. Implement it now to allow IAKERB
contexts to be successfully exported and imported after establishment.

CVE-2015-2698:

In any MIT krb5 release with the patches for CVE-2015-2696 applied, an
application which calls gss_export_sec_context() may experience memory
corruption if the context was established using the IAKERB mechanism.
Historically, some vulnerabilities of this nature can be translated
into remote code execution, though the necessary exploits must be
tailored to the individual application and are usually quite
complicated.

CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

(cherry picked from commit 3db8dfec1ef50ddd78d6ba9503185995876a39fd)

https://github.com/krb5/krb5/commit/54222de30a89bfac0247dfbc1759556dc9fd2983
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 54222de30a89bfac0247dfbc1759556dc9fd2983
Branch: krb5-1.14
src/lib/gssapi/krb5/gssapiP_krb5.h | 5 ++++
src/lib/gssapi/krb5/gssapi_krb5.c | 2 +-
src/lib/gssapi/krb5/iakerb.c | 42 ++++++++++++++++++++++++++++++------
3 files changed, 41 insertions(+), 8 deletions(-)