|
 |
4be148 |
From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001
|
|
|
4be148 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
4be148 |
Date: Fri, 5 Dec 2014 14:01:39 -0500
|
|
|
4be148 |
Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353]
|
|
|
4be148 |
|
|
|
4be148 |
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
|
|
|
4be148 |
successfully with no results, return KRB5_KDB_NOENTRY instead of
|
|
|
4be148 |
returning success with a zeroed-out policy object. This fixes a null
|
|
|
4be148 |
dereference when an admin attempts to use an LDAP ticket policy name
|
|
|
4be148 |
as a password policy name.
|
|
|
4be148 |
|
|
|
4be148 |
CVE-2014-5353:
|
|
|
4be148 |
|
|
|
4be148 |
In MIT krb5, when kadmind is configured to use LDAP for the KDC
|
|
|
4be148 |
database, an authenticated remote attacker can cause a NULL dereference
|
|
|
4be148 |
by attempting to use a named ticket policy object as a password policy
|
|
|
4be148 |
for a principal. The attacker needs to be authenticated as a user who
|
|
|
4be148 |
has the elevated privilege for setting password policy by adding or
|
|
|
4be148 |
modifying principals.
|
|
|
4be148 |
|
|
|
4be148 |
Queries to LDAP scoped to the krbPwdPolicy object class will correctly
|
|
|
4be148 |
not return entries of other classes, such as ticket policy objects, but
|
|
|
4be148 |
may return success with no returned elements if an object with the
|
|
|
4be148 |
requested DN exists in a different object class. In this case, the
|
|
|
4be148 |
routine to retrieve a password policy returned success with a password
|
|
|
4be148 |
policy object that consisted entirely of zeroed memory. In particular,
|
|
|
4be148 |
accesses to the policy name will dereference a NULL pointer. KDC
|
|
|
4be148 |
operation does not access the policy name field, but most kadmin
|
|
|
4be148 |
operations involving the principal with incorrect password policy
|
|
|
4be148 |
will trigger the crash.
|
|
|
4be148 |
|
|
|
4be148 |
Thanks to Patrik Kis for reporting this problem.
|
|
|
4be148 |
|
|
|
4be148 |
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
|
|
|
4be148 |
|
|
|
4be148 |
[kaduk@mit.edu: CVE description and CVSS score]
|
|
|
4be148 |
|
|
|
4be148 |
ticket: 8051 (new)
|
|
|
4be148 |
target_version: 1.13.1
|
|
|
4be148 |
tags: pullup
|
|
|
4be148 |
---
|
|
|
4be148 |
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---
|
|
|
4be148 |
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
4be148 |
|
|
|
4be148 |
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
|
|
|
4be148 |
index 522773e..6779f51 100644
|
|
|
4be148 |
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
|
|
|
4be148 |
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
|
|
|
4be148 |
@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
|
|
|
4be148 |
LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
|
|
|
4be148 |
|
|
|
4be148 |
ent=ldap_first_entry(ld, result);
|
|
|
4be148 |
- if (ent != NULL) {
|
|
|
4be148 |
- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
|
|
|
4be148 |
- goto cleanup;
|
|
|
4be148 |
+ if (ent == NULL) {
|
|
|
4be148 |
+ st = KRB5_KDB_NOENTRY;
|
|
|
4be148 |
+ goto cleanup;
|
|
|
4be148 |
}
|
|
|
4be148 |
+ st = populate_policy(context, ld, ent, pol_name, *policy);
|
|
|
4be148 |
|
|
|
4be148 |
cleanup:
|
|
|
4be148 |
ldap_msgfree(result);
|