[27664] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.10]: KDC TGS-REQ null deref [CVE-2013-1416]

daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Apr 5 14:22:02 2013

Date: Fri, 5 Apr 2013 14:21:58 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201304051821.r35ILw9c032255@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/8ee70ec63931d1e38567905387ab9b1d45734d81
commit 8ee70ec63931d1e38567905387ab9b1d45734d81
Author: Tom Yu <tlyu@mit.edu>
Date:   Fri Mar 29 19:27:33 2013 -0400

    KDC TGS-REQ null deref [CVE-2013-1416]
    
    By sending an unusual but valid TGS-REQ, an authenticated remote
    attacker can cause the KDC process to crash by dereferencing a null
    pointer.
    
    prep_reprocess_req() can cause a null pointer dereference when
    processing a service principal name.  Code in this function can
    inappropriately pass a null pointer to strlcpy().  Unmodified client
    software can trivially trigger this vulnerability, but the attacker
    must have already authenticated and received a valid Kerberos ticket.
    
    The vulnerable code was introduced by the implementation of new
    service principal realm referral functionality in krb5-1.7, but was
    corrected as a side effect of the KDC refactoring in krb5-1.11.
    
    CVSSv2 vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C
    
    ticket: 7600 (new)
    version_fixed: 1.10.5
    status: resolved

 src/kdc/do_tgs_req.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 9ff80cf..86496e9 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1141,7 +1141,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
             retval = ENOMEM;
             goto cleanup;
         }
-        strlcpy(comp1_str,comp1->data,comp1->length+1);
+        if (comp1->data != NULL)
+            memcpy(comp1_str, comp1->data, comp1->length);
 
         if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
              krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
@@ -1164,7 +1165,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
                 retval = ENOMEM;
                 goto cleanup;
             }
-            strlcpy(temp_buf, comp2->data,comp2->length+1);
+            if (comp2->data != NULL)
+                memcpy(temp_buf, comp2->data, comp2->length);
             retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
             free(temp_buf);
             if (retval) {
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

home help back first fref pref prev next nref lref last post