MITKRB5-SA-2003-05: Buffer overrun and underrun in principal name handling
Ken Raeburn
raeburn at MIT.EDU
Wed Mar 19 20:04:32 EST 2003
MIT krb5 Security Advisory 2003-005
2003-03-19
Topic: Buffer overrun and underrun in principal name handling
Severity: SERIOUS
SUMMARY
=======
Buffer overrun and underrun problems exist in Kerberos principal name
handling in unusual cases, such as names with zero components, names
with one empty component, or host-based service principal names with
no host name component.
IMPACT
======
* Corruption of malloc pool, probably leading to program crash.
+ The KDC may be vulnerable.
+ Depending on the malloc implementation and platform, it may be
possible to build more serious exploits on this.
* Reference to data just past the end of an array in the KDC, for
comparison against certain fixed data. May result in crashing the
KDC.
AFFECTED SOFTWARE
=================
MIT Kerberos 5, all released versions though 1.2.7 and 1.3-alpha1.
FIX
===
The following patches should fix the most urgent aspects of the
problems in the 1.2.7 release. If these patches do not apply cleanly
to 1.2.6 and earlier versions, the corresponding changes should be
fairly straightforward. The patch to krb5.hin should change any
missed overrun cases in this area into null pointer dereferences,
which will be more likely to crash the program instead of referencing
arbitrary data.
Index: include/krb5.hin
===================================================================
RCS file: /cvs/krbdev/krb5/src/include/krb5.hin,v
retrieving revision 1.94.2.5.2.17
diff -p -u -r1.94.2.5.2.17 krb5.hin
--- include/krb5.hin 2002/04/16 23:47:53 1.94.2.5.2.17
+++ include/krb5.hin 2003/03/19 00:38:54
@@ -326,7 +326,7 @@ typedef krb5_const krb5_principal_data F
#define krb5_princ_size(context, princ) (princ)->length
#define krb5_princ_type(context, princ) (princ)->type
#define krb5_princ_name(context, princ) (princ)->data
-#define krb5_princ_component(context, princ,i) ((princ)->data + i)
+#define krb5_princ_component(context, princ,i) (i < krb5_princ_size(context, princ) ? ((princ)->data + i) : NULL)
/*
* end "base-defs.h"
Index: kdc/kdc_util.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kdc/kdc_util.c,v
retrieving revision 5.96.2.2.2.3
diff -p -u -r5.96.2.2.2.3 kdc_util.c
--- kdc/kdc_util.c 2002/10/31 00:38:34 5.96.2.2.2.3
+++ kdc/kdc_util.c 2003/03/19 00:39:00
@@ -157,7 +157,8 @@ realm_compare(princ1, princ2)
krb5_boolean krb5_is_tgs_principal(principal)
krb5_principal principal;
{
- if ((krb5_princ_component(kdc_context, principal, 0)->length ==
+ if (krb5_princ_size(kdc_context, principal) > 0 &&
+ (krb5_princ_component(kdc_context, principal, 0)->length ==
KRB5_TGS_NAME_SIZE) &&
(!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE)))
Index: lib/krb5/krb/unparse.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/unparse.c,v
retrieving revision 5.27.4.1
diff -p -u -r5.27.4.1 unparse.c
--- lib/krb5/krb/unparse.c 2002/08/12 22:55:01 5.27.4.1
+++ lib/krb5/krb/unparse.c 2003/03/19 00:39:02
@@ -153,7 +153,8 @@ krb5_unparse_name_ext(context, principal
*q++ = COMPONENT_SEP;
}
- q--; /* Back up last component separator */
+ if (i > 0)
+ q--; /* Back up last component separator */
*q++ = REALM_SEP;
cp = krb5_princ_realm(context, principal)->data;
The problem exists in other parts of the code as well, but should only
result in crashing application servers when the realm has been
misconfigured to use broken service names, or crashing application
clients when they are supplied broken principal names.
ACKNOWLEDGMENTS
===============
Thanks to Nalin Dahyabhai of Red Hat for bringing the problems to our
attention.
CONTACT
=======
For more information, contact Ken Raeburn <raeburn at mit.edu>, Sam
Hartman <hartmans at mit.edu>, or Marshall Vale <mjv at mit.edu>.
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/www/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/www/index.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos-announce/attachments/20030319/8b7a2224/attachment.bin
More information about the kerberos-announce
mailing list