From nocturne@arepa.com Mon Sep 18 15:20:16 2000
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id PAA06286
for <bugs@RT-11.MIT.EDU>; Mon, 18 Sep 2000 15:20:16 -0400 (EDT)
Received: from dr-teeth.arepa.com by MIT.EDU with SMTP
id AA13527; Mon, 18 Sep 00 15:20:51 EDT
Received: from dr-teeth.arepa.com by sunlotion.arepa.com
via smtpd (for PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) with SMTP; 18 Sep 2000 19:20:15 UT
Received: (from nocturne@localhost)
by dr-teeth.arepa.com (8.8.8/8.8.8) id LAA00748;
Sun, 17 Sep 2000 11:21:07 -0400 (EDT)
Message-Id: <200009171521.LAA00748@dr-teeth.arepa.com>
Date: Sun, 17 Sep 2000 11:21:07 -0400 (EDT)
From: Eric Mumpower <nocturne@arepa.com>
Reply-To: nocturne@arepa.com
To: krb5-bugs@MIT.EDU
Subject: vast clock skew allows negative-life tickets
X-Send-Pr-Version: 3.99
System: NetBSD dr-teeth 1.4.1 NetBSD 1.4.1 (TEETH) #1: Fri Sep 15 18:27:55 EDT 2000 nocturne@dr-teeth:/usr/src/sys/arch/i386/compile/TEETH i386
If a client's clock is skewed a day into the past, it is possible to
obtain tickets with a negative lifetime.
Arepa kerberos version is MIT 1.1.1 with applied bugfixes for KDC and
buffer overrun vulnerabilities.
When one's clock is skewed about a day into the past, using an
1.1.1+bufpat client against either the Arepa 1.1.1+bufpat KDC _OR_ the
current MIT KDC:
allows one to fetch kerberos tickets that look like this:
Note that these tickets expire 18 hours before they become valid.
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id PAA06286
for <bugs@RT-11.MIT.EDU>; Mon, 18 Sep 2000 15:20:16 -0400 (EDT)
Received: from dr-teeth.arepa.com by MIT.EDU with SMTP
id AA13527; Mon, 18 Sep 00 15:20:51 EDT
Received: from dr-teeth.arepa.com by sunlotion.arepa.com
via smtpd (for PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) with SMTP; 18 Sep 2000 19:20:15 UT
Received: (from nocturne@localhost)
by dr-teeth.arepa.com (8.8.8/8.8.8) id LAA00748;
Sun, 17 Sep 2000 11:21:07 -0400 (EDT)
Message-Id: <200009171521.LAA00748@dr-teeth.arepa.com>
Date: Sun, 17 Sep 2000 11:21:07 -0400 (EDT)
From: Eric Mumpower <nocturne@arepa.com>
Reply-To: nocturne@arepa.com
To: krb5-bugs@MIT.EDU
Subject: vast clock skew allows negative-life tickets
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 889
>Category: krb5-kdc
>Synopsis: vast clock skew allows negative-life tickets
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Sep 18 15:21:01 EDT 2000
>Last-Modified:
>Originator: Eric Mumpower
>Organization:
Arepa>Category: krb5-kdc
>Synopsis: vast clock skew allows negative-life tickets
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Sep 18 15:21:01 EDT 2000
>Last-Modified:
>Originator: Eric Mumpower
>Organization:
Show quoted text
>Release: krb5-1.1.1
>Environment:
>Environment:
System: NetBSD dr-teeth 1.4.1 NetBSD 1.4.1 (TEETH) #1: Fri Sep 15 18:27:55 EDT 2000 nocturne@dr-teeth:/usr/src/sys/arch/i386/compile/TEETH i386
Show quoted text
>Description:
If a client's clock is skewed a day into the past, it is possible to
obtain tickets with a negative lifetime.
Show quoted text
>How-To-Repeat:
Arepa kerberos version is MIT 1.1.1 with applied bugfixes for KDC and
buffer overrun vulnerabilities.
When one's clock is skewed about a day into the past, using an
1.1.1+bufpat client against either the Arepa 1.1.1+bufpat KDC _OR_ the
current MIT KDC:
allows one to fetch kerberos tickets that look like this:
Show quoted text
> dr-teeth% klist -c -f -e
> Ticket cache: /tmp/krb5cc_606
> Default principal: nocturne@AREPA.COM
>
> Valid starting Expires Service principal
> 09/18/00 15:04:26 09/17/00 21:05:18 krbtgt/AREPA.COM@AREPA.COM
> Flags: FI, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
> Ticket cache: /tmp/krb5cc_606
> Default principal: nocturne@AREPA.COM
>
> Valid starting Expires Service principal
> 09/18/00 15:04:26 09/17/00 21:05:18 krbtgt/AREPA.COM@AREPA.COM
> Flags: FI, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
Show quoted text
> dr-teeth> klist -c -f -e
> Ticket cache: /tmp/krb5cc_606.ath
> Default principal: nocturne@ATHENA.MIT.EDU
>
> Valid starting Expires Service principal
> 09/18/00 15:04:34 09/17/00 21:05:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
> Flags: FI, Etype (skey, tkt): DES cbc mode with CRC-32, etype 28679
>
> Ticket cache: /tmp/krb5cc_606.ath
> Default principal: nocturne@ATHENA.MIT.EDU
>
> Valid starting Expires Service principal
> 09/18/00 15:04:34 09/17/00 21:05:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
> Flags: FI, Etype (skey, tkt): DES cbc mode with CRC-32, etype 28679
>
Note that these tickets expire 18 hours before they become valid.
Show quoted text
>Fix:
Unknown.Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: