diff options
Diffstat (limited to 'src/tests')
-rw-r--r-- | src/tests/Makefile.in | 2 | ||||
-rw-r--r-- | src/tests/t_cve-2012-1014.py | 31 | ||||
-rw-r--r-- | src/tests/t_cve-2012-1015.py | 38 |
3 files changed, 71 insertions, 0 deletions
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 39a047ec1f..b78f92aa5d 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -81,6 +81,8 @@ check-pytests:: hist $(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS) # $(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) clean:: $(RM) krb5.conf kdc.conf diff --git a/src/tests/t_cve-2012-1014.py b/src/tests/t_cve-2012-1014.py new file mode 100644 index 0000000000..e02162d6c2 --- /dev/null +++ b/src/tests/t_cve-2012-1014.py @@ -0,0 +1,31 @@ +#!/usr/bin/python + +import base64 +import socket +from k5test import * + +realm = K5Realm() + +# CVE-2012-1014 KDC dereferences uninitialized pointer + +# Affects only krb5-1.10.x. + +s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +a = (hostname, realm.portbase) + +x1 = base64.b16decode('6A5E305BA103020105A2030201') +x2 = base64.b16decode('A44F304DA007030500FEDCBA90A10E30' + + '0CA003020101A10530031B0141A2031B' + + '0141A30E300CA003020101A10530031B' + + '0141A511180F31393934303631303036' + + '303331375AA70302012AA80530030201' + + '01') + +for x in range(11, 128): + s.sendto(''.join([x1, chr(x), x2]), a) + +# Make sure kinit still works. + +realm.kinit(realm.user_princ, password('user')) + +success('CVE-2012-1014 regression test') diff --git a/src/tests/t_cve-2012-1015.py b/src/tests/t_cve-2012-1015.py new file mode 100644 index 0000000000..e00c4dc900 --- /dev/null +++ b/src/tests/t_cve-2012-1015.py @@ -0,0 +1,38 @@ +#!/usr/bin/python + +import base64 +import socket +from k5test import * + +realm = K5Realm() + +# CVE-2012-1015 KDC frees uninitialized pointer + +# Force a failure in krb5_c_make_checksum(), which causes the cleanup +# code in kdc_handle_protected_negotiation() to free an uninitialized +# pointer in an unpatched KDC. + +s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +a = (hostname, realm.portbase) + +x1 = base64.b16decode('6A81A030819DA103020105A20302010A' + + 'A30E300C300AA10402020095A2020400' + + 'A48180307EA00703050000000000A120' + + '301EA003020101A11730151B066B7262' + + '7467741B0B4B5242544553542E434F4D' + + 'A20D1B0B4B5242544553542E434F4DA3' + + '20301EA003020101A11730151B066B72' + + '627467741B0B4B5242544553542E434F' + + '4DA511180F3139393430363130303630' + + '3331375AA7030201') + +x2 = base64.b16decode('A8083006020106020112') + +for x in range(0, 128): + s.sendto(''.join([x1, chr(x), x2]), a) + +# Make sure kinit still works. + +realm.kinit(realm.user_princ, password('user')) + +success('CVE-2012-1015 regression test') |