rpms / krb5

Clone
Source Code
GIT

Blame SOURCES/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c26930347500ab656d3f033274eb5a3b066eab7a
  2.   SOURCES
  3.   Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
Blob History Raw
6cfd83 
From 4e8579f0a41b66ed8029f21a52082e1c27ab3996 Mon Sep 17 00:00:00 2001
6cfd83 
From: Joseph Sutton <josephsutton@catalyst.net.nz>
6cfd83 
Date: Wed, 7 Jul 2021 11:47:44 +1200
6cfd83 
Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
6cfd83
6cfd83 
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
6cfd83 
to avoid further processing if the armor key is NULL.  However, this
6cfd83 
check is bypassed by a call to k5memdup0() which overwrites retval
6cfd83 
with 0 if the allocation succeeds.  If the armor key is NULL, a call
6cfd83 
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
6cfd83 
crash.  Add a check before the k5memdup0() call to avoid overwriting
6cfd83 
retval.
6cfd83
6cfd83 
CVE-2021-36222:
6cfd83
6cfd83 
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
6cfd83 
cause a null dereference in the KDC by sending a request containing a
6cfd83 
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
6cfd83
6cfd83 
[ghudson@mit.edu: trimmed patch; added test case; edited commit
6cfd83 
message]
6cfd83
6cfd83 
(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)
6cfd83
6cfd83 
ticket: 9007
6cfd83 
version_fixed: 1.18.4
6cfd83
6cfd83 
(cherry picked from commit c4a406095b3ea4a67ae5b8ea586cbe9abdbae76f)
6cfd83 
---
6cfd83 
 src/kdc/kdc_preauth_ec.c      |  3 ++-
6cfd83 
 src/tests/Makefile.in         |  1 +
6cfd83 
 src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
6cfd83 
 3 files changed, 49 insertions(+), 1 deletion(-)
6cfd83 
 create mode 100644 src/tests/t_cve-2021-36222.py
6cfd83
6cfd83 
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
6cfd83 
index 7e636b3f9..43a9902cc 100644
6cfd83 
--- a/src/kdc/kdc_preauth_ec.c
6cfd83 
+++ b/src/kdc/kdc_preauth_ec.c
6cfd83 
@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
6cfd83 
     }
6cfd83
6cfd83 
     /* Check for a configured FAST ec auth indicator. */
6cfd83 
-    realmstr = k5memdup0(realm.data, realm.length, &retval);
6cfd83 
+    if (retval == 0)
6cfd83 
+        realmstr = k5memdup0(realm.data, realm.length, &retval);
6cfd83 
     if (realmstr != NULL)
6cfd83 
         retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
6cfd83 
                                     realmstr,
6cfd83 
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
6cfd83 
index 3f88f1713..0ffbebf56 100644
6cfd83 
--- a/src/tests/Makefile.in
6cfd83 
+++ b/src/tests/Makefile.in
6cfd83 
@@ -158,6 +158,7 @@ check-pytests: unlockiter s4u2self
6cfd83 
 	$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
6cfd83 
 	$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
6cfd83 
 	$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
6cfd83 
+	$(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
6cfd83 
 	$(RM) au.log
6cfd83 
 	$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
6cfd83 
 	$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
6cfd83 
diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
6cfd83 
new file mode 100644
6cfd83 
index 000000000..57e04993b
6cfd83 
--- /dev/null
6cfd83 
+++ b/src/tests/t_cve-2021-36222.py
6cfd83 
@@ -0,0 +1,46 @@
6cfd83 
+import socket
6cfd83 
+from k5test import *
6cfd83 
+
6cfd83 
+realm = K5Realm()
6cfd83 
+
6cfd83 
+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
6cfd83 
+# without FAST
6cfd83 
+
6cfd83 
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
6cfd83 
+a = (hostname, realm.portbase)
6cfd83 
+
6cfd83 
+m = ('6A81A0' '30819D'          # [APPLICATION 10] SEQUENCE
6cfd83 
+     'A103' '0201' '05'         #  [1] pvno = 5
6cfd83 
+     'A203' '0201' '0A'         #  [2] msg-type = 10
6cfd83 
+     'A30E' '300C'              #  [3] padata = SEQUENCE OF
6cfd83 
+     '300A'                     #   SEQUENCE
6cfd83 
+     'A104' '0202' '008A'       #    [1] padata-type = PA-ENCRYPTED-CHALLENGE
6cfd83 
+     'A202' '0400'              #    [2] padata-value = ""
6cfd83 
+     'A48180' '307E'            #  [4] req-body = SEQUENCE
6cfd83 
+     'A007' '0305' '0000000000' #   [0] kdc-options = 0
6cfd83 
+     'A120' '301E'              #   [1] cname = SEQUENCE
6cfd83 
+     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
6cfd83 
+     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
6cfd83 
+     '1B06' '6B7262746774'      #     krbtgt
6cfd83 
+     '1B0B' '4B5242544553542E434F4D'
6cfd83 
+                                #     KRBTEST.COM
6cfd83 
+     'A20D' '1B0B' '4B5242544553542E434F4D'
6cfd83 
+                                #   [2] realm = KRBTEST.COM
6cfd83 
+     'A320' '301E'              #   [3] sname = SEQUENCE
6cfd83 
+     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
6cfd83 
+     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
6cfd83 
+     '1B06' '6B7262746774'      #     krbtgt
6cfd83 
+     '1B0B' '4B5242544553542E434F4D'
6cfd83 
+                                #     KRBTEST.COM
6cfd83 
+     'A511' '180F' '31393934303631303036303331375A'
6cfd83 
+                                #   [5] till = 19940610060317Z
6cfd83 
+     'A703' '0201' '00'         #   [7] nonce = 0
6cfd83 
+     'A808' '3006'              #   [8] etype = SEQUENCE OF
6cfd83 
+     '020112' '020111')         #    aes256-cts aes128-cts
6cfd83 
+
6cfd83 
+s.sendto(bytes.fromhex(m), a)
6cfd83 
+
6cfd83 
+# Make sure kinit still works.
6cfd83 
+realm.kinit(realm.user_princ, password('user'))
6cfd83 
+
6cfd83 
+success('CVE-2021-36222 regression test')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation