-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2010-006 MIT krb5 Security Advisory 2010-006 Original release: 2010-10-05 Topic: KDC uninitialized pointer crash in authorization data handling CVE-2010-1322 CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 8 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Complete CVSSv2 Temporal Score: 7 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= When the MIT krb5 KDC receives certain Kerberos TGS request messages, it may dereference an uninitialized pointer while processing authorization data, causing a crash, or in rare cases, unauthorized information disclosure, ticket modification, or execution of arbitrary code. The crash may be triggered by legitimate requests. This is an implementation vulnerability in MIT krb5, and not a vulnerability in the Kerberos protocol. IMPACT ====== An authenticated remote attacker can cause the MIT krb5 KDC process to crash, resulting in a denial of service. In rare cases, the attacker can theoretically induce unauthorized information disclosure, ticket modification, or the execution of arbitrary code. The denial of service may be triggered by legitimate requests produced by Windows Active Directory clients. No exploit code is known to exist that would cause information disclosure, ticket modification, or arbitrary code execution. AFFECTED SOFTWARE ================= * KDC in MIT krb5-1.8 through krb5-1.8.3 * Earlier releases of MIT krb5 did not contain the vulnerable code. FIXES ===== * The upcoming krb5-1.8.4 release will contain a fix for this vulnerability. * Apply the following patch. The patch was generated against krb5-1.8.3. diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index b5de64d..cc44e29 100644 - --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -495,7 +495,7 @@ merge_authdata (krb5_context context, krb5_boolean copy, krb5_boolean ignore_kdc_issued) { - - size_t i, nadata = 0; + size_t i, j, nadata = 0; krb5_authdata **authdata = *out_authdata; if (in_authdata == NULL || in_authdata[0] == NULL) @@ -529,16 +529,16 @@ merge_authdata (krb5_context context, in_authdata = tmp; } - - for (i = 0; in_authdata[i] != NULL; i++) { + for (i = 0, j = 0; in_authdata[i] != NULL; i++) { if (ignore_kdc_issued && is_kdc_issued_authdatum(context, in_authdata[i], 0)) { free(in_authdata[i]->contents); free(in_authdata[i]); } else - - authdata[nadata + i] = in_authdata[i]; + authdata[nadata + j++] = in_authdata[i]; } - - authdata[nadata + i] = NULL; + authdata[nadata + j] = NULL; free(in_authdata); This patch is also available at http://web.mit.edu/kerberos/advisories/2010-006-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-006-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2010-1322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1322 ACKNOWLEDGMENTS =============== Thanks to Mike Roszkowski for reporting this vulnerability, providing a patch, and helping with analysis. Thanks to Pavel Jindra and Radoslav Bodo for additional testing. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= In the function merge_authdata() in kdc_authdata.c, a loop that attempts to exclude KDC-issued authorization data items when merging two authorization data lists will advance the destination index inappropriately when filtering out such an item. As a result, that entry in the destination list will be an uninitialized pointer. Subsequent operations on the resulting authorization data list can dereference that uninitialized pointer, typically causing a crash. It is theoretically possible that an attacker could manipulate the contents of the heap so that the uninitialized pointer points to a valid address, allowing unauthorized information disclosure, manipulation of the authorization data in the resulting ticket, or a subsequent free of that pointer. It is theoretically possible that an attacker inducing the freeing of a chosen pointer could corrupt the heap and execute arbitrary code. Windows Active Directory clients can produce TGS requests that trigger this vulnerability fairly consistently. REVISION HISTORY ================ 2010-10-05 original release Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkyrdcEACgkQSO8fWy4vZo5QVQCfbvzBA0Mx+CLktnrWgyphhQaZ 9TkAoJHEC0Nm1kt3MDP4MeFf7kjgM/OS =aEOG -----END PGP SIGNATURE-----