-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2009-002 MIT krb5 Security Advisory 2009-002 Original release: 2009-04-07 Last update: 2009-05-26 Topic: ASN.1 decoder frees uninitialized pointer [CVE-2009-0846] ASN.1 GeneralizedTime decoder can free uninitialized pointer CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= [CVE-2009-0846] An ASN.1 decoder can free an uninitialized pointer when decoding an invalid encoding. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code. No exploit is known to exist that would cause arbitrary code execution. This is an implementation vulnerability in MIT krb5, and is not a vulnerability in the Kerberos protocol. IMPACT ====== [CVE-2009-0846] An unauthenticated, remote attacker could cause a Kerberos application, including the Kerberos administration daemon (kadmind) or the KDC to crash, and possibly to execute arbitrary code. Compromise of the KDC or kadmind can compromise the Kerberos key database and host security on the KDC host. (The KDC and kadmind typically run as root.) We believe this scenario is highly unlikely, given the details of the vulnerability. Third-party applications using MIT krb5 may also be vulnerable. MITIGATING FACTORS ================== While it is theoretically possible for an attacker to execute arbitrary code by exploiting this vulnerability, it is believed to be more difficult than exploiting other sorts of memory management flaws such as double-free or heap buffer overflow events. Also, in order to exploit this vulnerability to remotely execute code, an attacker must ensure that the uninitialized pointer points to valid address space, otherwise a null-dereference crash will typically occur. Some operating systems have hardened malloc implementations that are not susceptible to this problem. These operating systems are still vulnerable to a denial of service if the uninitialized pointer points to invalid address space. AFFECTED SOFTWARE ================= * All MIT krb5 releases * Third-party software using the krb5 library from MIT krb5 releases FIXES ===== * The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for this vulnerability. * Apply the patch diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c index aa4be32..5f7461d 100644 - --- a/src/lib/krb5/asn.1/asn1_decode.c +++ b/src/lib/krb5/asn.1/asn1_decode.c @@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val) if(length != 15) return ASN1_BAD_LENGTH; retval = asn1buf_remove_charstring(buf,15,&s); + if (retval) return retval; /* Time encoding: YYYYMMDDhhmmssZ */ if(s[14] != 'Z') { free(s); diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c index 0ff9343..04ea287 100644 - --- a/src/tests/asn.1/krb5_decode_test.c +++ b/src/tests/asn.1/krb5_decode_test.c @@ -485,6 +485,22 @@ int main(argc, argv) ktest_destroy_keyblock(&(ref.subkey)); ref.seq_number = 0; decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); + + retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); + if (retval) { + com_err("krb5_decode_test", retval, "while parsing"); + exit(1); + } + retval = decode_krb5_ap_rep_enc_part(&code, &var); + if (retval != ASN1_OVERRUN) { + printf("ERROR: "); + } else { + printf("OK: "); + } + printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); + krb5_free_data_contents(test_context, &code); + if (!retval) krb5_free_ap_rep_enc_part(test_context, var); + ktest_empty_ap_rep_enc_part(&ref); } This patch is also available at http://web.mit.edu/kerberos/advisories/2009-002-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2009-002-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2009-0846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 CERT: VU#662091 http://www.kb.cert.org/vuls/id/662091 CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= The asn1_decode_generaltime() function, which decodes DER encodings of the ASN.1 type "GeneralizedTime", can free an uninitialized pointer. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code. No exploit is known to exist that would cause arbitrary code execution. REVISION HISTORY ================ 2009-05-26 update test case patch 2009-04-07 original release Copyright (C) 2009 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iQCVAgUBSh4/nqbDgE/zdoE9AQIDHwP6A+jzI9a5dPPMv+c1QYhWwc9cwpG+5QpB dfxfWAcjrujpWNQl1wjCAUMYxft7xSbXs08kiHbnS2FreLG5NWmMXBKbgNbORu48 dfX7fr95iQxFGvqMmLzsm33Ha8l+dhffpNZjLtdao2u/05arQ7wEQJV1UxW8GPMr kd5AJYwU538= =wS1r -----END PGP SIGNATURE-----