krb5 commit [krb5-1.10]: Regression tests for CVE-2012-1014, CVE-2012-1015
Tom Yu
tlyu at MIT.EDU
Wed Aug 8 14:00:52 EDT 2012
https://github.com/krb5/krb5/commit/a38c0d2c55db48c0f209fdc4fe8a725e582a6989
commit a38c0d2c55db48c0f209fdc4fe8a725e582a6989
Author: Tom Yu <tlyu at mit.edu>
Date: Tue Aug 7 23:14:03 2012 -0400
Regression tests for CVE-2012-1014, CVE-2012-1015
(cherry picked from commit 98d2c88615ebbaf2012d54a2e17aa3863ba4b7f6)
ticket: 7231
version_fixed: 1.10.3
status: resolved
src/tests/Makefile.in | 2 ++
src/tests/t_cve-2012-1014.py | 31 +++++++++++++++++++++++++++++++
src/tests/t_cve-2012-1015.py | 38 ++++++++++++++++++++++++++++++++++++++
3 files changed, 71 insertions(+), 0 deletions(-)
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 008e7d1..a8ca464 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -75,6 +75,8 @@ check-pytests:: hist
$(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
# $(RUNPYTEST) $(srcdir)/kdc_realm/kdcref.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
clean::
$(RM) kdc.conf
diff --git a/src/tests/t_cve-2012-1014.py b/src/tests/t_cve-2012-1014.py
new file mode 100644
index 0000000..e02162d
--- /dev/null
+++ b/src/tests/t_cve-2012-1014.py
@@ -0,0 +1,31 @@
+#!/usr/bin/python
+
+import base64
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# CVE-2012-1014 KDC dereferences uninitialized pointer
+
+# Affects only krb5-1.10.x.
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+x1 = base64.b16decode('6A5E305BA103020105A2030201')
+x2 = base64.b16decode('A44F304DA007030500FEDCBA90A10E30' +
+ '0CA003020101A10530031B0141A2031B' +
+ '0141A30E300CA003020101A10530031B' +
+ '0141A511180F31393934303631303036' +
+ '303331375AA70302012AA80530030201' +
+ '01')
+
+for x in range(11, 128):
+ s.sendto(''.join([x1, chr(x), x2]), a)
+
+# Make sure kinit still works.
+
+realm.kinit(realm.user_princ, password('user'))
+
+success('CVE-2012-1014 regression test')
diff --git a/src/tests/t_cve-2012-1015.py b/src/tests/t_cve-2012-1015.py
new file mode 100644
index 0000000..e00c4dc
--- /dev/null
+++ b/src/tests/t_cve-2012-1015.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python
+
+import base64
+import socket
+from k5test import *
+
+realm = K5Realm()
+
+# CVE-2012-1015 KDC frees uninitialized pointer
+
+# Force a failure in krb5_c_make_checksum(), which causes the cleanup
+# code in kdc_handle_protected_negotiation() to free an uninitialized
+# pointer in an unpatched KDC.
+
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+a = (hostname, realm.portbase)
+
+x1 = base64.b16decode('6A81A030819DA103020105A20302010A' +
+ 'A30E300C300AA10402020095A2020400' +
+ 'A48180307EA00703050000000000A120' +
+ '301EA003020101A11730151B066B7262' +
+ '7467741B0B4B5242544553542E434F4D' +
+ 'A20D1B0B4B5242544553542E434F4DA3' +
+ '20301EA003020101A11730151B066B72' +
+ '627467741B0B4B5242544553542E434F' +
+ '4DA511180F3139393430363130303630' +
+ '3331375AA7030201')
+
+x2 = base64.b16decode('A8083006020106020112')
+
+for x in range(0, 128):
+ s.sendto(''.join([x1, chr(x), x2]), a)
+
+# Make sure kinit still works.
+
+realm.kinit(realm.user_princ, password('user'))
+
+success('CVE-2012-1015 regression test')
More information about the cvs-krb5
mailing list