krb5 commit [krb5-1.11]: KDC null deref due to referrals [CVE-2013-1417]

Tom Yu tlyu at MIT.EDU
Mon Jul 1 22:38:29 EDT 2013


https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc
commit 4c023ba43c16396f0d199e2df1cfa59b88b62acc
Author: Tom Yu <tlyu at mit.edu>
Date:   Fri Jun 21 17:58:25 2013 -0400

    KDC null deref due to referrals [CVE-2013-1417]
    
    An authenticated remote client can cause a KDC to crash by making a
    valid TGS-REQ to a KDC serving a realm with a single-component name.
    The process_tgs_req() function dereferences a null pointer because an
    unusual failure condition causes a helper function to return success.
    
    While attempting to provide cross-realm referrals for host-based
    service principals, the find_referral_tgs() function could return a
    TGS principal for a zero-length realm name (indicating that the
    hostname in the service principal has no known realm associated with
    it).
    
    Subsequently, the find_alternate_tgs() function would attempt to
    construct a path to this empty-string realm, and return success along
    with a null pointer in its output parameter.  This happens because
    krb5_walk_realm_tree() returns a list of length one when it attempts
    to construct a transit path between a single-component realm and the
    empty-string realm.  This list causes a loop in find_alternate_tgs()
    to iterate over zero elements, resulting in the unexpected output of a
    null pointer, which process_tgs_req() proceeds to dereference because
    there is no error condition.
    
    Add an error condition to find_referral_tgs() when
    krb5_get_host_realm() returns an empty realm name.  Also add an error
    condition to find_alternate_tgs() to handle the length-one output from
    krb5_walk_realm_tree().
    
    The vulnerable configuration is not likely to arise in practice.
    (Realm names that have a single component are likely to be test
    realms.)  Releases prior to krb5-1.11 are not vulnerable.
    
    Thanks to Sol Jerome for reporting this problem.
    
    CVSSv2: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
    
    (cherry picked from commit 3c7f1c21ffaaf6c90f1045f0f5440303c766acc0)
    
    ticket: 7668
    version_fixed: 1.11.4
    status: resolved

 src/kdc/do_tgs_req.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index d41bc5d..745a48e 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1057,6 +1057,8 @@ find_alternate_tgs(kdc_realm_t *kdc_active_realm, krb5_principal princ,
         goto cleanup;
     }
 cleanup:
+    if (retval == 0 && server_ptr == NULL)
+        retval = KRB5_KDB_NOENTRY;
     if (retval != 0)
         *status = "UNKNOWN_SERVER";
 
@@ -1149,7 +1151,7 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
         goto cleanup;
     }
     /* Don't return a referral to the empty realm or the service realm. */
-    if (realms == NULL || realms[0] == '\0' ||
+    if (realms == NULL || realms[0] == NULL || *realms[0] == '\0' ||
         data_eq_string(srealm, realms[0])) {
         retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
         goto cleanup;


More information about the cvs-krb5 mailing list