[1251] in Kerberos_V5_Development
security flaw in get_in_tkt: address verification
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Thu May 30 13:11:49 1996
Date: Thu, 30 May 96 13:11:24 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: krbdev@MIT.EDU
verify_as_reply in get_in_tkt.c does not currently verify that the
address list in the reply is the same as was requested:
/* XXX || (!krb5_addresses_compare(context, addrs,
as_reply->enc_part2->caddrs)) */
This means that an attacker can intercept an AS_REQ, insert his own
address into the list, steal the resulting krbtgt from the client, and
use the stolen ticket from his own IP address.
Of course, this is not really a significant issue because it still
requires the attacker to steal the tickets or know the client's
password and, of course, having accomplished that an attacker could
easily forge the correct IP address anyway even if this vulnerability
did not exist. Frankly, I've been arguing since at latest 1990 that
Kerberos should not bother to include or check IP addresses in tickets
because it increases code complexity and does not increase security in
any significant way; the fact that this bug exists supports my point
further.
Barry
