-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2012-001 MIT krb5 Security Advisory 2012-001 Original release: 2012-07-31 Topic: KDC heap corruption and crash vulnerabilities CVE-2012-1015: KDC frees uninitialized pointer CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 9.3 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.3 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed CVE-2012-1014: KDC dereferences uninitialized pointer CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 9 CVSSv2 Temporal Score: 7 SUMMARY ======= CVE-2012-1015: The MIT krb5 KDC (Key Distribution Center) daemon can free an uninitialized pointer while processing an unusual AS-REQ, corrupting the process heap and possibly causing the daemon to abnormally terminate. An attacker could use this vulnerability to execute malicious code, but exploiting frees of uninitialized pointers to execute code is believed to be difficult. It is possible that a legitimate client that is misconfigured in an unusual way could trigger this vulnerability. CVE-2012-1014: The MIT krb5 KDC daemon can dereference an uninitialized pointer while processing a malformed AS-REQ, causing the daemon to abnormally terminate. This vulnerability could theoretically lead to the execution of malicious code, but that is believed to be very difficult. No known exploit exists that is capable of executing malicious code for either vulnerability, but it is also not difficult to trigger a denial of service with either vulnerability. IMPACT ====== CVE-2012-1015: By sending a specially crafted AS-REQ, an unauthenticated remote attacker can cause the KDC to abnormally terminate or to execute malicious code. CVE-2012-1014: By sending a malformed AS-REQ, an unauthenticated remote attacker can cause the KDC to abnormally terminate. It is theoretically possible, but unlikely, for this vulnerability to lead to the execution of malicious code. AFFECTED SOFTWARE ================= * The KDC in releases krb5-1.8 and later is vulnerable to CVE-2012-1015. * The KDC in releases krb5-1.10 and later is vulnerable to CVE-2012-1014. * Some platforms detect attempts to free invalid pointers and protectively terminate the process, preventing arbitrary code execution on those platforms. FIXES ===== * The upcoming krb5-1.10.3 release will contain a fix for CVE-2012-1014 and CVE-2012-1015. * The upcoming krb5-1.9.5 release will contain a fix for CVE-2012-1015. * Apply the following patch: diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 23623fe..8ada9d0 100644 - --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, krb5_enctype useenctype; struct as_req_state *state; - - state = malloc(sizeof(*state)); + state = calloc(sizeof(*state), 1); if (!state) { (*respond)(arg, ENOMEM, NULL); return; @@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->authtime = 0; state->c_flags = 0; state->req_pkt = req_pkt; + state->inner_body = NULL; state->rstate = NULL; state->sname = 0; state->cname = 0; diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 9d8cb34..d4ece3f 100644 - --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, continue; } - - if (request_contains_enctype(context, request, db_etype)) { + if (krb5_is_permitted_enctype(context, db_etype) && + request_contains_enctype(context, request, db_etype)) { retval = _make_etype_info_entry(context, client->princ, client_key, db_etype, &entry[i], etype_info2); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a43b291..94dad3a 100644 - --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request, return 0; pa.magic = KV5M_PA_DATA; pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; + memset(&checksum, 0, sizeof(checksum)); retval = krb5_c_make_checksum(kdc_context,0, reply_key, KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); if (retval != 0) diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index c4bf92e..367c894 100644 - --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) krb5_boolean saw_non_permitted = FALSE; ret = 0; + if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) + return KRB5_KDB_NO_PERMITTED_KEY; + if (kvno == -1 && stype == -1 && ktype == -1) kvno = 0; This patch is also available at http://web.mit.edu/kerberos/advisories/2012-001-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2012-001-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2012-1014 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1014 CVE: CVE-2012-1015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015 ACKNOWLEDGMENTS =============== We thank Emmanuel Bouillon (NCI Agency) for discovering and reporting these vulnerabilities. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/07566CE5 2012-01-27 [expires: 2013-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= CVE-2012-1015: KDC frees uninitialized pointer The KDC function kdc_handle_protected_negotiation(), which handles the protected negotiation feature of the FAST Kerberos protocol extension, can attempt to create a checksum using a key type that is invalid for producing checksums. This causes its call to krb5_c_make_checksum() to fail, which leads to the cleanup code in kdc_handle_protected_negotiation() freeing an uninitialized pointer. It is possible, but unlikely, for a legitimate client to be misconfigured in a way that causes the KDC to attempt to use such an invalid key type in this code. CVE-2012-1014: KDC dereferences uninitialized pointer CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 9 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Complete CVSSv2 Temporal Score: 7 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The KDC function process_as_req(), which handles incoming AS-REQ messages, allocates a state object using malloc() and initializes many fields within it. It fails to initialize state->inner_body, which is a pointer to a krb5_data object. If the uninitialized value state->inner_body is not null, a failure in process_as_req() that precedes the call to kdc_find_fast() could cause error handling code in finish_process_as_req() to pass the uninitialized state->inner_body pointer to krb5_free_data(), which would proceed to dereference the uninitialized pointer. The typical outcome is KDC process termination due to a segmentation fault or similar memory fault. It is theoretically possible for an attacker to manipulate the contents of the heap so that the uninitialized pointer state->inner_body would point to valid memory where state->inner_body->data contains an attacker-chosen invalid pointer value. The krb5_free_data() function would then pass this invalid pointer to free(). This could allow the attacker to overwrite memory or execute malicious code on some platforms, depending on the details of the malloc() implementation. This indirect attack method seems much less likely to succeed than one where the attacker could directly control the invalid pointer value that the program passes to free(). REVISION HISTORY ================ 2012-07-31 original release Copyright (C) 2012 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAlAYHFcACgkQSO8fWy4vZo6GswCgi1sNmgLekPTxnHgOaiEmKeVF 1TMAn2EoBKvxZBWhNTISWjM1jcV7sHrU =8oTe -----END PGP SIGNATURE-----