|
 |
7d335d |
commit 4c023ba43c16396f0d199e2df1cfa59b88b62acc
|
|
|
7d335d |
Author: Tom Yu <tlyu@mit.edu>
|
|
|
7d335d |
Date: Fri Jun 21 17:58:25 2013 -0400
|
|
|
7d335d |
|
|
|
7d335d |
KDC null deref due to referrals [CVE-2013-1417]
|
|
|
7d335d |
|
|
|
7d335d |
An authenticated remote client can cause a KDC to crash by making a
|
|
|
7d335d |
valid TGS-REQ to a KDC serving a realm with a single-component name.
|
|
|
7d335d |
The process_tgs_req() function dereferences a null pointer because an
|
|
|
7d335d |
unusual failure condition causes a helper function to return success.
|
|
|
7d335d |
|
|
|
7d335d |
While attempting to provide cross-realm referrals for host-based
|
|
|
7d335d |
service principals, the find_referral_tgs() function could return a
|
|
|
7d335d |
TGS principal for a zero-length realm name (indicating that the
|
|
|
7d335d |
hostname in the service principal has no known realm associated with
|
|
|
7d335d |
it).
|
|
|
7d335d |
|
|
|
7d335d |
Subsequently, the find_alternate_tgs() function would attempt to
|
|
|
7d335d |
construct a path to this empty-string realm, and return success along
|
|
|
7d335d |
with a null pointer in its output parameter. This happens because
|
|
|
7d335d |
krb5_walk_realm_tree() returns a list of length one when it attempts
|
|
|
7d335d |
to construct a transit path between a single-component realm and the
|
|
|
7d335d |
empty-string realm. This list causes a loop in find_alternate_tgs()
|
|
|
7d335d |
to iterate over zero elements, resulting in the unexpected output of a
|
|
|
7d335d |
null pointer, which process_tgs_req() proceeds to dereference because
|
|
|
7d335d |
there is no error condition.
|
|
|
7d335d |
|
|
|
7d335d |
Add an error condition to find_referral_tgs() when
|
|
|
7d335d |
krb5_get_host_realm() returns an empty realm name. Also add an error
|
|
|
7d335d |
condition to find_alternate_tgs() to handle the length-one output from
|
|
|
7d335d |
krb5_walk_realm_tree().
|
|
|
7d335d |
|
|
|
7d335d |
The vulnerable configuration is not likely to arise in practice.
|
|
|
7d335d |
(Realm names that have a single component are likely to be test
|
|
|
7d335d |
realms.) Releases prior to krb5-1.11 are not vulnerable.
|
|
|
7d335d |
|
|
|
7d335d |
Thanks to Sol Jerome for reporting this problem.
|
|
|
7d335d |
|
|
|
7d335d |
CVSSv2: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
|
|
|
7d335d |
|
|
|
7d335d |
(cherry picked from commit 3c7f1c21ffaaf6c90f1045f0f5440303c766acc0)
|
|
|
7d335d |
|
|
|
7d335d |
ticket: 7668
|
|
|
7d335d |
version_fixed: 1.11.4
|
|
|
7d335d |
status: resolved
|
|
|
7d335d |
|
|
|
7d335d |
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
|
|
7d335d |
index d41bc5d..745a48e 100644
|
|
|
7d335d |
--- a/src/kdc/do_tgs_req.c
|
|
|
7d335d |
+++ b/src/kdc/do_tgs_req.c
|
|
|
7d335d |
@@ -1057,6 +1057,8 @@ find_alternate_tgs(kdc_realm_t *kdc_active_realm, krb5_principal princ,
|
|
|
7d335d |
goto cleanup;
|
|
|
7d335d |
}
|
|
|
7d335d |
cleanup:
|
|
|
7d335d |
+ if (retval == 0 && server_ptr == NULL)
|
|
|
7d335d |
+ retval = KRB5_KDB_NOENTRY;
|
|
|
7d335d |
if (retval != 0)
|
|
|
7d335d |
*status = "UNKNOWN_SERVER";
|
|
|
7d335d |
|
|
|
7d335d |
@@ -1149,7 +1151,7 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
|
|
|
7d335d |
goto cleanup;
|
|
|
7d335d |
}
|
|
|
7d335d |
/* Don't return a referral to the empty realm or the service realm. */
|
|
|
7d335d |
- if (realms == NULL || realms[0] == '\0' ||
|
|
|
7d335d |
+ if (realms == NULL || realms[0] == NULL || *realms[0] == '\0' ||
|
|
|
7d335d |
data_eq_string(srealm, realms[0])) {
|
|
|
7d335d |
retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
|
|
7d335d |
goto cleanup;
|