MITKRB5-SA-2012-001: KDC heap corruption and crash [CVE-2012-1014 CVE-2012-1015]

Wed Aug 1 13:10:06 EDT 2012

The patch doesn't separate out the two issues, but it looks like it
applies to 1.9.x if I remove the do_as_req.c part, is that correct?

Chris

On 2012/07/31 11:04, Tom Yu wrote:
> MITKRB5-SA-2012-001
> 
> MIT krb5 Security Advisory 2012-001 Original release: 2012-07-31
> 
> Topic: KDC heap corruption and crash vulnerabilities
> 
> CVE-2012-1015: KDC frees uninitialized pointer
> 
> CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
> 
> CVSSv2 Base Score:      9.3
> 
> Access Vector:          Network Access Complexity:      Medium 
> Authentication:         None Confidentiality Impact: Complete 
> Integrity Impact:       Complete Availability Impact:    Complete
> 
> CVSSv2 Temporal Score:  7.3
> 
> Exploitability:         Proof-of-Concept Remediation Level:
> Official Fix Report Confidence:      Confirmed
> 
> CVE-2012-1014: KDC dereferences uninitialized pointer
> 
> CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C/E:POC/RL:OF/RC:C CVSSv2
> Base Score:      9 CVSSv2 Temporal Score:  7
> 
> SUMMARY =======
> 
> CVE-2012-1015: The MIT krb5 KDC (Key Distribution Center) daemon
> can free an uninitialized pointer while processing an unusual
> AS-REQ, corrupting the process heap and possibly causing the daemon
> to abnormally terminate.  An attacker could use this vulnerability
> to execute malicious code, but exploiting frees of uninitialized
> pointers to execute code is believed to be difficult.  It is
> possible that a legitimate client that is misconfigured in an
> unusual way could trigger this vulnerability.
> 
> CVE-2012-1014: The MIT krb5 KDC daemon can dereference an 
> uninitialized pointer while processing a malformed AS-REQ, causing
> the daemon to abnormally terminate.  This vulnerability could 
> theoretically lead to the execution of malicious code, but that is 
> believed to be very difficult.
> 
> No known exploit exists that is capable of executing malicious
> code for either vulnerability, but it is also not difficult to
> trigger a denial of service with either vulnerability.
> 
> IMPACT ======
> 
> CVE-2012-1015: By sending a specially crafted AS-REQ, an 
> unauthenticated remote attacker can cause the KDC to abnormally 
> terminate or to execute malicious code.
> 
> CVE-2012-1014: By sending a malformed AS-REQ, an unauthenticated 
> remote attacker can cause the KDC to abnormally terminate.  It is 
> theoretically possible, but unlikely, for this vulnerability to
> lead to the execution of malicious code.
> 
> AFFECTED SOFTWARE =================
> 
> * The KDC in releases krb5-1.8 and later is vulnerable to 
> CVE-2012-1015.
> 
> * The KDC in releases krb5-1.10 and later is vulnerable to 
> CVE-2012-1014.
> 
> * Some platforms detect attempts to free invalid pointers and 
> protectively terminate the process, preventing arbitrary code 
> execution on those platforms.
> 
> FIXES =====
> 
> * The upcoming krb5-1.10.3 release will contain a fix for 
> CVE-2012-1014 and CVE-2012-1015.
> 
> * The upcoming krb5-1.9.5 release will contain a fix for 
> CVE-2012-1015.
> 
> * Apply the following patch:
> 
> diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index
> 23623fe..8ada9d0 100644 --- a/src/kdc/do_as_req.c +++
> b/src/kdc/do_as_req.c @@ -463,7 +463,7 @@
> process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, 
> krb5_enctype useenctype; struct as_req_state *state;
> 
> -    state = malloc(sizeof(*state)); +    state =
> calloc(sizeof(*state), 1); if (!state) { (*respond)(arg, ENOMEM,
> NULL); return; @@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req
> *request, krb5_data *req_pkt, state->authtime = 0; state->c_flags =
> 0; state->req_pkt = req_pkt; +    state->inner_body = NULL; 
> state->rstate = NULL; state->sname = 0; state->cname = 0; diff
> --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index
> 9d8cb34..d4ece3f 100644 --- a/src/kdc/kdc_preauth.c +++
> b/src/kdc/kdc_preauth.c @@ -1438,7 +1438,8 @@
> etype_info_helper(krb5_context context, krb5_kdc_req *request, 
> continue;
> 
> } -            if (request_contains_enctype(context, request,
> db_etype)) { +            if (krb5_is_permitted_enctype(context,
> db_etype) && +                request_contains_enctype(context,
> request, db_etype)) { retval = _make_etype_info_entry(context,
> client->princ, client_key, db_etype, &entry[i], etype_info2); diff
> --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index
> a43b291..94dad3a 100644 --- a/src/kdc/kdc_util.c +++
> b/src/kdc/kdc_util.c @@ -2461,6 +2461,7 @@
> kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req
> *request, return 0; pa.magic = KV5M_PA_DATA; pa.pa_type =
> KRB5_ENCPADATA_REQ_ENC_PA_REP; +    memset(&checksum, 0,
> sizeof(checksum)); retval = krb5_c_make_checksum(kdc_context,0,
> reply_key, KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); if (retval !=
> 0) diff --git a/src/lib/kdb/kdb_default.c
> b/src/lib/kdb/kdb_default.c index c4bf92e..367c894 100644 ---
> a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@
> -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start,
> ktype, stype, kvno, kdatap) krb5_boolean        saw_non_permitted =
> FALSE;
> 
> ret = 0; +    if (ktype != -1 &&
> !krb5_is_permitted_enctype(kcontext, ktype)) +        return
> KRB5_KDB_NO_PERMITTED_KEY; + if (kvno == -1 && stype == -1 && ktype
> == -1) kvno = 0;
> 
> 
> 
> This patch is also available at
> 
> http://web.mit.edu/kerberos/advisories/2012-001-patch.txt
> 
> A PGP-signed patch is available at
> 
> http://web.mit.edu/kerberos/advisories/2012-001-patch.txt.asc
> 
> REFERENCES ==========
> 
> This announcement is posted at:
> 
> http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
> 
> This announcement and related security advisories may be found on
> the MIT Kerberos security advisory page at:
> 
> http://web.mit.edu/kerberos/advisories/index.html
> 
> The main MIT Kerberos web page is at:
> 
> http://web.mit.edu/kerberos/index.html
> 
> CVSSv2:
> 
> http://www.first.org/cvss/cvss-guide.html 
> http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
> 
> CVE: CVE-2012-1014 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1014
> 
> CVE: CVE-2012-1015 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015
> 
> ACKNOWLEDGMENTS ===============
> 
> We thank Emmanuel Bouillon (NCI Agency) for discovering and
> reporting these vulnerabilities.
> 
> CONTACT =======
> 
> The MIT Kerberos Team security contact address is 
> <krbcore-security at mit.edu>.  When sending sensitive information, 
> please PGP-encrypt it using the following key:
> 
> pub   2048R/07566CE5 2012-01-27 [expires: 2013-02-01] uid     MIT
> Kerberos Team Security Contact <krbcore-security at mit.edu>
> 
> DETAILS =======
> 
> CVE-2012-1015: KDC frees uninitialized pointer
> 
> The KDC function kdc_handle_protected_negotiation(), which handles
> the protected negotiation feature of the FAST Kerberos protocol
> extension, can attempt to create a checksum using a key type that
> is invalid for producing checksums.  This causes its call to
> krb5_c_make_checksum() to fail, which leads to the cleanup code in 
> kdc_handle_protected_negotiation() freeing an uninitialized
> pointer.
> 
> It is possible, but unlikely, for a legitimate client to be 
> misconfigured in a way that causes the KDC to attempt to use such
> an invalid key type in this code.
> 
> CVE-2012-1014: KDC dereferences uninitialized pointer
> 
> CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C/E:POC/RL:OF/RC:C
> 
> CVSSv2 Base Score:      9
> 
> Access Vector:          Network Access Complexity:      Low 
> Authentication:         None Confidentiality Impact: Partial 
> Integrity Impact:       Partial Availability Impact:    Complete
> 
> CVSSv2 Temporal Score:  7
> 
> Exploitability:         Proof-of-Concept Remediation Level:
> Official Fix Report Confidence:      Confirmed
> 
> The KDC function process_as_req(), which handles incoming AS-REQ 
> messages, allocates a state object using malloc() and initializes
> many fields within it.  It fails to initialize state->inner_body,
> which is a pointer to a krb5_data object.  If the uninitialized
> value state->inner_body is not null, a failure in process_as_req()
> that precedes the call to kdc_find_fast() could cause error
> handling code in finish_process_as_req() to pass the uninitialized
> state->inner_body pointer to krb5_free_data(), which would proceed
> to dereference the uninitialized pointer.  The typical outcome is
> KDC process termination due to a segmentation fault or similar
> memory fault.
> 
> It is theoretically possible for an attacker to manipulate the 
> contents of the heap so that the uninitialized pointer 
> state->inner_body would point to valid memory where 
> state->inner_body->data contains an attacker-chosen invalid
> pointer value.  The krb5_free_data() function would then pass this
> invalid pointer to free().  This could allow the attacker to
> overwrite memory or execute malicious code on some platforms,
> depending on the details of the malloc() implementation.  This
> indirect attack method seems much less likely to succeed than one
> where the attacker could directly control the invalid pointer value
> that the program passes to free().
> 
> REVISION HISTORY ================
> 
> 2012-07-31      original release
> 
> Copyright (C) 2012 Massachusetts Institute of Technology 
> _______________________________________________ kerberos-announce
> mailing list kerberos-announce at mit.edu 
> https://mailman.mit.edu/mailman/listinfo/kerberos-announce 
> ________________________________________________ Kerberos mailing
> list           Kerberos at mit.edu 
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 