MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing

[Greg Hudson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

MITKRB5-SA-2022-001

MIT krb5 Security Advisory 2022-001
Original release: 2022-11-15
Last update: 2022-11-15

Topic: Vulnerabilities in PAC parsing

CVE-2022-42898: integer overflow vulnerabilities in PAC parsing

SUMMARY
=======

Three integer overflow vulnerabilities have been discovered in the MIT
krb5 library function krb5_parse_pac().

IMPACT
======

An authenticated attacker may be able to cause a KDC or kadmind
process to crash by reading beyond the bounds of allocated memory,
creating a denial of service.  A privileged attacker may similarly be
able to cause a Kerberos or GSS application service to crash.

On a 32-bit platform, an authenticated attacker may be able to cause
heap corruption in a KDC or kadmind process, possibly leading to
remote code execution.  A privileged attacker may similarly be able to
cause heap corruption in a Kerberos or GSS application service running
on a 32-bit platform.

An attacker with the privileges of a cross-realm KDC may be able to
extract secrets from a KDC process's memory by having them copied into
the PAC of a new ticket.

AFFECTED SOFTWARE
=================

Kerberos and GSS application services using krb5-1.8 or later are
affected.  kadmind in krb5-1.8 or later is affected.  The krb5-1.20
KDC is affected.  The krb5-1.8 through krb5-1.19 KDC is affected when
using the Samba or FreeIPA KDB modules.

FIXES
=====

* Upcoming releases in the krb5-1.19 and krb5-1.20 series will contain
  fixes for these vulnerabilities.

* The patch for krb5-1.20.x is available at

  https://web.mit.edu/kerberos/advisories/2022-001-patch-r120.txt

  A PGP-signed patch is available at

  https://web.mit.edu/kerberos/advisories/2022-001-patch-r120.txt.asc

* The patch for krb5-1.19.x is available at

  https://web.mit.edu/kerberos/advisories/2022-001-patch-r119.txt

  A PGP-signed patch is available at

  https://web.mit.edu/kerberos/advisories/2022-001-patch-r119.txt.asc

REFERENCES
==========

This announcement is posted at:

  https://web.mit.edu/kerberos/advisories/MITKRB5-SA-2022-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        https://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        https://web.mit.edu/kerberos/index.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898

ACKNOWLEDGMENTS
===============

One of the integer overflow vulnerabilities was discovered by
oss-fuzz.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security at mit.edu>.

DETAILS
=======

A PAC (Privilege Attribute Certificate) is a Kerberos authorization
data type specified by Microsoft.  PACs are parsed by application
services and KDCs after the PAC is extracted from a decrypted ticket.
Attacking an application service requires a high level of privilege,
as the attacker must possess the long-term key of the service to
insert a crafted invalid PAC into a ticket that the service can
decrypt.  To attack a KDC or kadmind, the attacker must possess the
long-term key of a principal in the KDC realm, but does not require a
high level of privilege.

There are three potential overflow vulnerabilities in
krb5_pac_parse():

1. krb5_pac_parse() reads a buffer count from the serialized PAC,
which can be any unsigned 32-bit value.  It then computes a header
length from the buffer count, and returns an error if the header
length is larger than the serialized PAC length.  If the buffer count
is 2^28 or higher, the header length computation will overfow, and the
result may be less than or equal to the PAC length.

If the header length check is defeated in this manner,
krb5_pac_parse() will attempt to parse metadata for at least 2^28
buffers, exceeding the bounds of the serialized PAC.  In most cases,
parsing beyond the end of the PAC will encounter invalid metadata and
the parse operation will fail, with no harmful consequences.  In some
cases the process may be terminated with a segmentation violation.

2. krb5_pac_parse() computes a reallocation size based on the buffer
count.  If the buffer count is 2^28 or higher, the size computation
will overflow on 32-bit platforms, and the function will allocate
insufficient space to store buffer metadata.  On 64-bit platforms the
size computation cannot overflow.

An insufficient storage allocation will result in heap corruption when
buffer metadata is read.  The attacker has a significant degree of
control over what data is written beyond the end of the allocated heap
region.

3. For each buffer, krb5_pac_parse() reads a 64-bit offset and a
32-bit length.  The function returns an error if the sum of the offset
and length exceeds the length of the serialized PAC.  If the sum
exceeds 2^64, the offset and length may be erroneously allowed.  A
later read of the buffer may cause the process to crash.  If it does
not, the buffer contents may contain secrets located in process
memory.  A KDC may copy the invalid buffer into the PAC for a new
ticket, possibly revealing secret information to the attacker.
However, a high level of privilege would be required to conduct such
an attack, as the PAC must be signed by a KDC within the local realm
or a KDC from a realm that the local realm is directly connected to.

GSS and Kerberos application services using krb5-1.8 or later will
parse a PAC when an AP-REQ or Kerberos GSS initiator token is received
from a client, if a PAC is contained within the decrypted Kerberos
ticket.  To exploit the aforementioned vulnerabilities, an attacker
must be able to construct a ticket that the application service can
decrypt, containing a crafted invalid PAC encoding.  Constructing such
a ticket requires possession of a key contained within the service's
keytab file, implying that the attacker already has the privileges of
the application service or the KDC of the service realm.

kadmind is a GSS application service with the special property that it
can decrypt a ticket encrypted to in any service key in the database.
After authentication, it checks that the target service has an
appropriate name, but by that time any PAC in the received ticket has
already been parsed.  Therefore, it could be attacked by any attacker
who possesses the long-term key of any principal that does not have
the DISALLOW_SVR or DISALLOW_ALL_TIX flags set.

The krb5-1.20 KDC.20 will parse a PAC if one is contained within a TGS
request header ticket or second ticket.  As with kadmind, such a
ticket could be crafted using the long-term key of any principal that
does not have the DISALLOW_SVR or DISALLOW_ALL_TIX flags set.

The KDC prior to krb5-1.20 does not parse PACs unless it is used with
a KDB module that implements PACs, such as the Samba or FreeIPA KDB
modules.

REVISION HISTORY
================

2022-11-15      original release

Copyright (C) 2022 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNzuQQACgkQDLoIV1+D
ct8Ung/8DWy/aMtta10Z1pclpCZDP/piQs/r9pY+uugaZIZo9TWKBmbj8agASdS8
C/BKp9fj80P5uPPveSuAMbuj0ocRjWVeRa04GR+Le8UeCIjOJrh1uXHLTWza/xpU
rpV+/xi/KsueaxGS3I4hUTUd1K4nUmGX/Kzvjo27YCvOKRXiiUn2J1mX9d+G+hyS
lVjAlLI7+HvDbC9Cq96BYKRcLvCugMDY1g4wjmFw7L7tvftsf2t1dl8i8dlHfSNJ
fcYgpNne3fRgwSEkPZNukfZQD3i4usUfRoimqnG57fV1mOilfWT1bGVlNC7HOpgs
anHYrhc+j4CYtwR8YhHU/aZSUs82ksfjLX+/o+LmUfyQhKqKreT5WYyJUW8pzG/+
DAery0OBG+wLOpNMzLhCRExPOzh1gcJs1RXF/meb68D4KBCfmM9F6tASLlVNTmd2
cI+Mh3Zm70S+l4ZKEgppKmFTcG+0HucOnpGl8QdTifMpM7Ox66asnPznPy6uaNoa
xMXW718Ldr1p3n8gzIA2FrOi3t/I+CL59APfkt43QwH/7+x0uxLyswA/3LX6pLtY
dTgbVHXa+PkfowmrD7Gn8bkFAwZiAsfKy/r+Xf+3flZzj8I6BqAzvqcAke7Fyr+o
uWw8IMxy85cirlwstllbfqwEz6KrkHVuu61vrANvWBEOpKHmMeU=
=8tHI
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce