MITKRB5-SA-2012-001: KDC heap corruption and crash [CVE-2012-1014 CVE-2012-1015]
Chris Hecker
checker at d6.com
Wed Aug 1 13:10:06 EDT 2012
The patch doesn't separate out the two issues, but it looks like it
applies to 1.9.x if I remove the do_as_req.c part, is that correct?
Chris
On 2012/07/31 11:04, Tom Yu wrote:
> MITKRB5-SA-2012-001
>
> MIT krb5 Security Advisory 2012-001 Original release: 2012-07-31
>
> Topic: KDC heap corruption and crash vulnerabilities
>
> CVE-2012-1015: KDC frees uninitialized pointer
>
> CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
>
> CVSSv2 Base Score: 9.3
>
> Access Vector: Network Access Complexity: Medium
> Authentication: None Confidentiality Impact: Complete
> Integrity Impact: Complete Availability Impact: Complete
>
> CVSSv2 Temporal Score: 7.3
>
> Exploitability: Proof-of-Concept Remediation Level:
> Official Fix Report Confidence: Confirmed
>
> CVE-2012-1014: KDC dereferences uninitialized pointer
>
> CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C/E:POC/RL:OF/RC:C CVSSv2
> Base Score: 9 CVSSv2 Temporal Score: 7
>
> SUMMARY =======
>
> CVE-2012-1015: The MIT krb5 KDC (Key Distribution Center) daemon
> can free an uninitialized pointer while processing an unusual
> AS-REQ, corrupting the process heap and possibly causing the daemon
> to abnormally terminate. An attacker could use this vulnerability
> to execute malicious code, but exploiting frees of uninitialized
> pointers to execute code is believed to be difficult. It is
> possible that a legitimate client that is misconfigured in an
> unusual way could trigger this vulnerability.
>
> CVE-2012-1014: The MIT krb5 KDC daemon can dereference an
> uninitialized pointer while processing a malformed AS-REQ, causing
> the daemon to abnormally terminate. This vulnerability could
> theoretically lead to the execution of malicious code, but that is
> believed to be very difficult.
>
> No known exploit exists that is capable of executing malicious
> code for either vulnerability, but it is also not difficult to
> trigger a denial of service with either vulnerability.
>
> IMPACT ======
>
> CVE-2012-1015: By sending a specially crafted AS-REQ, an
> unauthenticated remote attacker can cause the KDC to abnormally
> terminate or to execute malicious code.
>
> CVE-2012-1014: By sending a malformed AS-REQ, an unauthenticated
> remote attacker can cause the KDC to abnormally terminate. It is
> theoretically possible, but unlikely, for this vulnerability to
> lead to the execution of malicious code.
>
> AFFECTED SOFTWARE =================
>
> * The KDC in releases krb5-1.8 and later is vulnerable to
> CVE-2012-1015.
>
> * The KDC in releases krb5-1.10 and later is vulnerable to
> CVE-2012-1014.
>
> * Some platforms detect attempts to free invalid pointers and
> protectively terminate the process, preventing arbitrary code
> execution on those platforms.
>
> FIXES =====
>
> * The upcoming krb5-1.10.3 release will contain a fix for
> CVE-2012-1014 and CVE-2012-1015.
>
> * The upcoming krb5-1.9.5 release will contain a fix for
> CVE-2012-1015.
>
> * Apply the following patch:
>
> diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index
> 23623fe..8ada9d0 100644 --- a/src/kdc/do_as_req.c +++
> b/src/kdc/do_as_req.c @@ -463,7 +463,7 @@
> process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
> krb5_enctype useenctype; struct as_req_state *state;
>
> - state = malloc(sizeof(*state)); + state =
> calloc(sizeof(*state), 1); if (!state) { (*respond)(arg, ENOMEM,
> NULL); return; @@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req
> *request, krb5_data *req_pkt, state->authtime = 0; state->c_flags =
> 0; state->req_pkt = req_pkt; + state->inner_body = NULL;
> state->rstate = NULL; state->sname = 0; state->cname = 0; diff
> --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index
> 9d8cb34..d4ece3f 100644 --- a/src/kdc/kdc_preauth.c +++
> b/src/kdc/kdc_preauth.c @@ -1438,7 +1438,8 @@
> etype_info_helper(krb5_context context, krb5_kdc_req *request,
> continue;
>
> } - if (request_contains_enctype(context, request,
> db_etype)) { + if (krb5_is_permitted_enctype(context,
> db_etype) && + request_contains_enctype(context,
> request, db_etype)) { retval = _make_etype_info_entry(context,
> client->princ, client_key, db_etype, &entry[i], etype_info2); diff
> --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index
> a43b291..94dad3a 100644 --- a/src/kdc/kdc_util.c +++
> b/src/kdc/kdc_util.c @@ -2461,6 +2461,7 @@
> kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req
> *request, return 0; pa.magic = KV5M_PA_DATA; pa.pa_type =
> KRB5_ENCPADATA_REQ_ENC_PA_REP; + memset(&checksum, 0,
> sizeof(checksum)); retval = krb5_c_make_checksum(kdc_context,0,
> reply_key, KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); if (retval !=
> 0) diff --git a/src/lib/kdb/kdb_default.c
> b/src/lib/kdb/kdb_default.c index c4bf92e..367c894 100644 ---
> a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@
> -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start,
> ktype, stype, kvno, kdatap) krb5_boolean saw_non_permitted =
> FALSE;
>
> ret = 0; + if (ktype != -1 &&
> !krb5_is_permitted_enctype(kcontext, ktype)) + return
> KRB5_KDB_NO_PERMITTED_KEY; + if (kvno == -1 && stype == -1 && ktype
> == -1) kvno = 0;
>
>
>
> This patch is also available at
>
> http://web.mit.edu/kerberos/advisories/2012-001-patch.txt
>
> A PGP-signed patch is available at
>
> http://web.mit.edu/kerberos/advisories/2012-001-patch.txt.asc
>
> REFERENCES ==========
>
> This announcement is posted at:
>
> http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
>
> This announcement and related security advisories may be found on
> the MIT Kerberos security advisory page at:
>
> http://web.mit.edu/kerberos/advisories/index.html
>
> The main MIT Kerberos web page is at:
>
> http://web.mit.edu/kerberos/index.html
>
> CVSSv2:
>
> http://www.first.org/cvss/cvss-guide.html
> http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
>
> CVE: CVE-2012-1014
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1014
>
> CVE: CVE-2012-1015
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015
>
> ACKNOWLEDGMENTS ===============
>
> We thank Emmanuel Bouillon (NCI Agency) for discovering and
> reporting these vulnerabilities.
>
> CONTACT =======
>
> The MIT Kerberos Team security contact address is
> <krbcore-security at mit.edu>. When sending sensitive information,
> please PGP-encrypt it using the following key:
>
> pub 2048R/07566CE5 2012-01-27 [expires: 2013-02-01] uid MIT
> Kerberos Team Security Contact <krbcore-security at mit.edu>
>
> DETAILS =======
>
> CVE-2012-1015: KDC frees uninitialized pointer
>
> The KDC function kdc_handle_protected_negotiation(), which handles
> the protected negotiation feature of the FAST Kerberos protocol
> extension, can attempt to create a checksum using a key type that
> is invalid for producing checksums. This causes its call to
> krb5_c_make_checksum() to fail, which leads to the cleanup code in
> kdc_handle_protected_negotiation() freeing an uninitialized
> pointer.
>
> It is possible, but unlikely, for a legitimate client to be
> misconfigured in a way that causes the KDC to attempt to use such
> an invalid key type in this code.
>
> CVE-2012-1014: KDC dereferences uninitialized pointer
>
> CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C/E:POC/RL:OF/RC:C
>
> CVSSv2 Base Score: 9
>
> Access Vector: Network Access Complexity: Low
> Authentication: None Confidentiality Impact: Partial
> Integrity Impact: Partial Availability Impact: Complete
>
> CVSSv2 Temporal Score: 7
>
> Exploitability: Proof-of-Concept Remediation Level:
> Official Fix Report Confidence: Confirmed
>
> The KDC function process_as_req(), which handles incoming AS-REQ
> messages, allocates a state object using malloc() and initializes
> many fields within it. It fails to initialize state->inner_body,
> which is a pointer to a krb5_data object. If the uninitialized
> value state->inner_body is not null, a failure in process_as_req()
> that precedes the call to kdc_find_fast() could cause error
> handling code in finish_process_as_req() to pass the uninitialized
> state->inner_body pointer to krb5_free_data(), which would proceed
> to dereference the uninitialized pointer. The typical outcome is
> KDC process termination due to a segmentation fault or similar
> memory fault.
>
> It is theoretically possible for an attacker to manipulate the
> contents of the heap so that the uninitialized pointer
> state->inner_body would point to valid memory where
> state->inner_body->data contains an attacker-chosen invalid
> pointer value. The krb5_free_data() function would then pass this
> invalid pointer to free(). This could allow the attacker to
> overwrite memory or execute malicious code on some platforms,
> depending on the details of the malloc() implementation. This
> indirect attack method seems much less likely to succeed than one
> where the attacker could directly control the invalid pointer value
> that the program passes to free().
>
> REVISION HISTORY ================
>
> 2012-07-31 original release
>
> Copyright (C) 2012 Massachusetts Institute of Technology
> _______________________________________________ kerberos-announce
> mailing list kerberos-announce at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos-announce
> ________________________________________________ Kerberos mailing
> list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list