[28678] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.13]: Fix LDAP misused policy name crash
daemon@ATHENA.MIT.EDU (Tom Yu)
Tue Dec 16 14:30:42 2014
Date: Tue, 16 Dec 2014 14:25:57 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201412161925.sBGJPv0R020718@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/2865a748eff3b37d2090e9cf1c88d23bc7df7710
commit 2865a748eff3b37d2090e9cf1c88d23bc7df7710
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Dec 5 14:01:39 2014 -0500
Fix LDAP misused policy name crash [CVE-2014-5353]
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
successfully with no results, return KRB5_KDB_NOENTRY instead of
returning success with a zeroed-out policy object. This fixes a null
dereference when an admin attempts to use an LDAP ticket policy name
as a password policy name.
CVE-2014-5353:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal. The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.
Queries to LDAP scoped to the krbPwdPolicy object class will correctly
not return entries of other classes, such as ticket policy objects, but
may return success with no returned elements if an object with the
requested DN exists in a different object class. In this case, the
routine to retrieve a password policy returned success with a password
policy object that consisted entirely of zeroed memory. In particular,
accesses to the policy name will dereference a NULL pointer. KDC
operation does not access the policy name field, but most kadmin
operations involving the principal with incorrect password policy
will trigger the crash.
Thanks to Patrik Kis for reporting this problem.
CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
[kaduk@mit.edu: CVE description and CVSS score]
(cherry picked from commit d1f707024f1d0af6e54a18885322d70fa15ec4d3)
ticket: 8051
version_fixed: 1.13.1
status: resolved
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
index 522773e..6779f51 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
ent=ldap_first_entry(ld, result);
- if (ent != NULL) {
- if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
- goto cleanup;
+ if (ent == NULL) {
+ st = KRB5_KDB_NOENTRY;
+ goto cleanup;
}
+ st = populate_policy(context, ld, ent, pol_name, *policy);
cleanup:
ldap_msgfree(result);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
