|
 |
cb4cef |
From 3fe94b5854c56da38ba14994b6c371c3e3b9094e Mon Sep 17 00:00:00 2001
|
|
|
cb4cef |
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
|
cb4cef |
Date: Wed, 7 Jul 2021 11:47:44 +1200
|
|
|
cb4cef |
Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
|
|
|
cb4cef |
|
|
|
cb4cef |
The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
|
|
|
cb4cef |
to avoid further processing if the armor key is NULL. However, this
|
|
|
cb4cef |
check is bypassed by a call to k5memdup0() which overwrites retval
|
|
|
cb4cef |
with 0 if the allocation succeeds. If the armor key is NULL, a call
|
|
|
cb4cef |
to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
|
|
|
cb4cef |
crash. Add a check before the k5memdup0() call to avoid overwriting
|
|
|
cb4cef |
retval.
|
|
|
cb4cef |
|
|
|
cb4cef |
CVE-2021-36222:
|
|
|
cb4cef |
|
|
|
cb4cef |
In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
|
|
|
cb4cef |
cause a null dereference in the KDC by sending a request containing a
|
|
|
cb4cef |
PA-ENCRYPTED-CHALLENGE padata element without using FAST.
|
|
|
cb4cef |
|
|
|
cb4cef |
[ghudson@mit.edu: trimmed patch; added test case; edited commit
|
|
|
cb4cef |
message]
|
|
|
cb4cef |
|
|
|
cb4cef |
ticket: 9007 (new)
|
|
|
cb4cef |
tags: pullup
|
|
|
cb4cef |
target_version: 1.19-next
|
|
|
cb4cef |
target_version: 1.18-next
|
|
|
cb4cef |
|
|
|
cb4cef |
(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)
|
|
|
cb4cef |
(cherry picked from commit 791211b00a53b394376d096c881b725ee739a936)
|
|
|
cb4cef |
---
|
|
|
cb4cef |
src/kdc/kdc_preauth_ec.c | 3 ++-
|
|
|
cb4cef |
src/tests/Makefile.in | 1 +
|
|
|
cb4cef |
src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
|
|
|
cb4cef |
3 files changed, 49 insertions(+), 1 deletion(-)
|
|
|
cb4cef |
create mode 100644 src/tests/t_cve-2021-36222.py
|
|
|
cb4cef |
|
|
|
cb4cef |
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
|
|
|
cb4cef |
index 7e636b3f9..43a9902cc 100644
|
|
|
cb4cef |
--- a/src/kdc/kdc_preauth_ec.c
|
|
|
cb4cef |
+++ b/src/kdc/kdc_preauth_ec.c
|
|
|
cb4cef |
@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
|
|
cb4cef |
}
|
|
|
cb4cef |
|
|
|
cb4cef |
/* Check for a configured FAST ec auth indicator. */
|
|
|
cb4cef |
- realmstr = k5memdup0(realm.data, realm.length, &retval);
|
|
|
cb4cef |
+ if (retval == 0)
|
|
|
cb4cef |
+ realmstr = k5memdup0(realm.data, realm.length, &retval);
|
|
|
cb4cef |
if (realmstr != NULL)
|
|
|
cb4cef |
retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
|
|
|
cb4cef |
realmstr,
|
|
|
cb4cef |
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
|
|
|
cb4cef |
index ab416cc5f..20f27d748 100644
|
|
|
cb4cef |
--- a/src/tests/Makefile.in
|
|
|
cb4cef |
+++ b/src/tests/Makefile.in
|
|
|
cb4cef |
@@ -159,6 +159,7 @@ check-pytests: unlockiter s4u2self
|
|
|
cb4cef |
$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
|
|
|
cb4cef |
$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
|
|
|
cb4cef |
$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
|
|
|
cb4cef |
+ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
|
|
|
cb4cef |
$(RM) au.log
|
|
|
cb4cef |
$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
|
|
|
cb4cef |
$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
|
|
|
cb4cef |
diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
|
|
|
cb4cef |
new file mode 100644
|
|
|
cb4cef |
index 000000000..57e04993b
|
|
|
cb4cef |
--- /dev/null
|
|
|
cb4cef |
+++ b/src/tests/t_cve-2021-36222.py
|
|
|
cb4cef |
@@ -0,0 +1,46 @@
|
|
|
cb4cef |
+import socket
|
|
|
cb4cef |
+from k5test import *
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+realm = K5Realm()
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
|
|
|
cb4cef |
+# without FAST
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
|
|
cb4cef |
+a = (hostname, realm.portbase)
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
|
|
|
cb4cef |
+ 'A103' '0201' '05' # [1] pvno = 5
|
|
|
cb4cef |
+ 'A203' '0201' '0A' # [2] msg-type = 10
|
|
|
cb4cef |
+ 'A30E' '300C' # [3] padata = SEQUENCE OF
|
|
|
cb4cef |
+ '300A' # SEQUENCE
|
|
|
cb4cef |
+ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
|
|
|
cb4cef |
+ 'A202' '0400' # [2] padata-value = ""
|
|
|
cb4cef |
+ 'A48180' '307E' # [4] req-body = SEQUENCE
|
|
|
cb4cef |
+ 'A007' '0305' '0000000000' # [0] kdc-options = 0
|
|
|
cb4cef |
+ 'A120' '301E' # [1] cname = SEQUENCE
|
|
|
cb4cef |
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
|
|
|
cb4cef |
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
|
|
|
cb4cef |
+ '1B06' '6B7262746774' # krbtgt
|
|
|
cb4cef |
+ '1B0B' '4B5242544553542E434F4D'
|
|
|
cb4cef |
+ # KRBTEST.COM
|
|
|
cb4cef |
+ 'A20D' '1B0B' '4B5242544553542E434F4D'
|
|
|
cb4cef |
+ # [2] realm = KRBTEST.COM
|
|
|
cb4cef |
+ 'A320' '301E' # [3] sname = SEQUENCE
|
|
|
cb4cef |
+ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
|
|
|
cb4cef |
+ 'A117' '3015' # [1] name-string = SEQUENCE-OF
|
|
|
cb4cef |
+ '1B06' '6B7262746774' # krbtgt
|
|
|
cb4cef |
+ '1B0B' '4B5242544553542E434F4D'
|
|
|
cb4cef |
+ # KRBTEST.COM
|
|
|
cb4cef |
+ 'A511' '180F' '31393934303631303036303331375A'
|
|
|
cb4cef |
+ # [5] till = 19940610060317Z
|
|
|
cb4cef |
+ 'A703' '0201' '00' # [7] nonce = 0
|
|
|
cb4cef |
+ 'A808' '3006' # [8] etype = SEQUENCE OF
|
|
|
cb4cef |
+ '020112' '020111') # aes256-cts aes128-cts
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+s.sendto(bytes.fromhex(m), a)
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+# Make sure kinit still works.
|
|
|
cb4cef |
+realm.kinit(realm.user_princ, password('user'))
|
|
|
cb4cef |
+
|
|
|
cb4cef |
+success('CVE-2021-36222 regression test')
|