MITKRB5-SA-2003-05: Buffer overrun and underrun in principal name handling

Ken Raeburn raeburn at MIT.EDU
Wed Mar 19 20:04:32 EST 2003 

                 MIT krb5 Security Advisory 2003-005

2003-03-19

Topic: Buffer overrun and underrun in principal name handling

Severity: SERIOUS

SUMMARY
=======

Buffer overrun and underrun problems exist in Kerberos principal name
handling in unusual cases, such as names with zero components, names
with one empty component, or host-based service principal names with
no host name component.

IMPACT
======

 * Corruption of malloc pool, probably leading to program crash.

   + The KDC may be vulnerable.

   + Depending on the malloc implementation and platform, it may be
     possible to build more serious exploits on this.

 * Reference to data just past the end of an array in the KDC, for
   comparison against certain fixed data.  May result in crashing the
   KDC.

AFFECTED SOFTWARE
=================

MIT Kerberos 5, all released versions though 1.2.7 and 1.3-alpha1.

FIX
===

The following patches should fix the most urgent aspects of the
problems in the 1.2.7 release.  If these patches do not apply cleanly
to 1.2.6 and earlier versions, the corresponding changes should be
fairly straightforward.  The patch to krb5.hin should change any
missed overrun cases in this area into null pointer dereferences,
which will be more likely to crash the program instead of referencing
arbitrary data.

Index: include/krb5.hin
===================================================================
RCS file: /cvs/krbdev/krb5/src/include/krb5.hin,v
retrieving revision 1.94.2.5.2.17
diff -p -u -r1.94.2.5.2.17 krb5.hin
--- include/krb5.hin	2002/04/16 23:47:53	1.94.2.5.2.17
+++ include/krb5.hin	2003/03/19 00:38:54
@@ -326,7 +326,7 @@ typedef krb5_const krb5_principal_data F
 #define	krb5_princ_size(context, princ) (princ)->length
 #define	krb5_princ_type(context, princ) (princ)->type
 #define	krb5_princ_name(context, princ) (princ)->data
-#define	krb5_princ_component(context, princ,i) ((princ)->data + i)
+#define	krb5_princ_component(context, princ,i) (i < krb5_princ_size(context, princ) ? ((princ)->data + i) : NULL)
 
 /*
  * end "base-defs.h"
Index: kdc/kdc_util.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kdc/kdc_util.c,v
retrieving revision 5.96.2.2.2.3
diff -p -u -r5.96.2.2.2.3 kdc_util.c
--- kdc/kdc_util.c	2002/10/31 00:38:34	5.96.2.2.2.3
+++ kdc/kdc_util.c	2003/03/19 00:39:00
@@ -157,7 +157,8 @@ realm_compare(princ1, princ2)
 krb5_boolean krb5_is_tgs_principal(principal)
 	krb5_principal	principal;
 {
-	if ((krb5_princ_component(kdc_context, principal, 0)->length ==
+	if (krb5_princ_size(kdc_context, principal) > 0 &&
+	    (krb5_princ_component(kdc_context, principal, 0)->length ==
 	     KRB5_TGS_NAME_SIZE) &&
 	    (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
 		     KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE)))
Index: lib/krb5/krb/unparse.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/unparse.c,v
retrieving revision 5.27.4.1
diff -p -u -r5.27.4.1 unparse.c
--- lib/krb5/krb/unparse.c	2002/08/12 22:55:01	5.27.4.1
+++ lib/krb5/krb/unparse.c	2003/03/19 00:39:02
@@ -153,7 +153,8 @@ krb5_unparse_name_ext(context, principal
 		*q++ = COMPONENT_SEP;
 	}
 
-	q--;			/* Back up last component separator */
+	if (i > 0)
+	    q--;		/* Back up last component separator */
 	*q++ = REALM_SEP;
 	
 	cp = krb5_princ_realm(context, principal)->data;


The problem exists in other parts of the code as well, but should only
result in crashing application servers when the realm has been
misconfigured to use broken service names, or crashing application
clients when they are supplied broken principal names.

ACKNOWLEDGMENTS
===============

Thanks to Nalin Dahyabhai of Red Hat for bringing the problems to our
attention.

CONTACT
=======

For more information, contact Ken Raeburn <raeburn at mit.edu>, Sam
Hartman <hartmans at mit.edu>, or Marshall Vale <mjv at mit.edu>.

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

	http://web.mit.edu/kerberos/www/advisories/index.html

The main MIT Kerberos web page is at:

	http://web.mit.edu/kerberos/www/index.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20030319/8b7a2224/attachment.bin
-------------- next part --------------
_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos-announce

More information about the Kerberos mailing list