diff options
author | Tom Yu <tlyu@mit.edu> | 2013-06-21 17:58:25 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2013-07-01 14:12:49 -0400 |
commit | 3c7f1c21ffaaf6c90f1045f0f5440303c766acc0 (patch) | |
tree | 70a66702374fec38cb9d6c2a6e0ce1f7ed05d3d8 /src/kdc/do_tgs_req.c | |
parent | 0f0943fb630b8487235c1124cd92cc697af0ac72 (diff) | |
download | krb5-3c7f1c21ffaaf6c90f1045f0f5440303c766acc0.tar.gz krb5-3c7f1c21ffaaf6c90f1045f0f5440303c766acc0.tar.xz krb5-3c7f1c21ffaaf6c90f1045f0f5440303c766acc0.zip |
KDC null deref due to referrals [CVE-2013-1417]
An authenticated remote client can cause a KDC to crash by making a
valid TGS-REQ to a KDC serving a realm with a single-component name.
The process_tgs_req() function dereferences a null pointer because an
unusual failure condition causes a helper function to return success.
While attempting to provide cross-realm referrals for host-based
service principals, the find_referral_tgs() function could return a
TGS principal for a zero-length realm name (indicating that the
hostname in the service principal has no known realm associated with
it).
Subsequently, the find_alternate_tgs() function would attempt to
construct a path to this empty-string realm, and return success along
with a null pointer in its output parameter. This happens because
krb5_walk_realm_tree() returns a list of length one when it attempts
to construct a transit path between a single-component realm and the
empty-string realm. This list causes a loop in find_alternate_tgs()
to iterate over zero elements, resulting in the unexpected output of a
null pointer, which process_tgs_req() proceeds to dereference because
there is no error condition.
Add an error condition to find_referral_tgs() when
krb5_get_host_realm() returns an empty realm name. Also add an error
condition to find_alternate_tgs() to handle the length-one output from
krb5_walk_realm_tree().
The vulnerable configuration is not likely to arise in practice.
(Realm names that have a single component are likely to be test
realms.) Releases prior to krb5-1.11 are not vulnerable.
Thanks to Sol Jerome for reporting this problem.
CVSSv2: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
ticket: 7668 (new)
tags: pullup
target_version: 1.11.4
Diffstat (limited to 'src/kdc/do_tgs_req.c')
-rw-r--r-- | src/kdc/do_tgs_req.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 7ddb84a420..2d5fceed94 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1035,6 +1035,8 @@ find_alternate_tgs(kdc_realm_t *kdc_active_realm, krb5_principal princ, goto cleanup; } cleanup: + if (retval == 0 && server_ptr == NULL) + retval = KRB5_KDB_NOENTRY; if (retval != 0) *status = "UNKNOWN_SERVER"; @@ -1137,7 +1139,7 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, goto cleanup; } /* Don't return a referral to the empty realm or the service realm. */ - if (realms == NULL || realms[0] == '\0' || + if (realms == NULL || realms[0] == NULL || *realms[0] == '\0' || data_eq_string(srealm, realms[0])) { retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; goto cleanup; |