[krbdev.mit.edu #2545] AFS string_to_key broken for passwords > 8 chars

The RT System itself via RT rt-comment at krbdev.mit.edu
Thu Apr 29 18:29:37 EDT 2004 

>From krb5-bugs-incoming-bounces at mit.edu  Thu Apr 29 18:29:20 2004
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
	id SAA05074; Thu, 29 Apr 2004 18:29:19 -0400 (EDT)
Received: from pch.mit.edu (localhost [127.0.0.1])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TMTJos012983
	for <krb5-send-pr at krbdev.mit.edu>; Thu, 29 Apr 2004 18:29:19 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3RMbjos014847
	for <krb5-bugs-incoming at PCH.mit.edu>;
	Tue, 27 Apr 2004 18:37:45 -0400 (EDT)
Received: from mailgate02.slac.stanford.edu (mailgate02.slac.stanford.edu
	[134.79.18.92])i3RMbiZW012897
	for <krb5-bugs at mit.edu>; Tue, 27 Apr 2004 18:37:44 -0400 (EDT)
Received: from telemark.slac.stanford.edu (telemark.slac.stanford.edu
	[134.79.24.241])i3RMbhgR023819
	for <krb5-bugs at mit.edu>; Tue, 27 Apr 2004 15:37:43 -0700 (PDT)
	(envelope-from bbense at slac.stanford.edu)
Received: (from bbense at localhost)i3RMbhD8031760;
	Tue, 27 Apr 2004 15:37:43 -0700
Date: Tue, 27 Apr 2004 15:37:43 -0700
From: Booker Bense <bbense at slac.stanford.edu>
Message-Id: <200404272237.i3RMbhD8031760 at telemark.slac.stanford.edu>
To: krb5-bugs at mit.edu
X-send-pr-version: 3.99
X-Mailman-Approved-At: Thu, 29 Apr 2004 17:36:14 -0400
X-BeenThere: krb5-bugs-incoming at mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: bbense at slac.stanford.edu
Sender: krb5-bugs-incoming-bounces at mit.edu
Errors-To: krb5-bugs-incoming-bounces at mit.edu


>Submitter-Id:	net
>Originator:	Booker Bense
>Organization: Stanford Linear Accellerator
>Confidential:	no
>Synopsis:	AFS string_to_key broken for passwords > 8 chars
>Severity:	serious 
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	krb5-1.3.3
>Environment: Mac OSX, 
	
System: Linux telemark 2.4.21-9.0.1.EL #1 Mon Feb 9 22:44:14 EST 2004 i686 i686 i386 GNU/Linux
Architecture: i686

>Description:
	
	The function mit_des_string_to_key_int contains this work around
	for use with converted AFS keys in a Heimdal KDC. 

	if (salt->length == SALT_TYPE_AFS_LENGTH || salt->length == (unsigned) -1) {
	    krb5_data salt2;
	    char *c;
	    c = strchr(salt->data, '@');
	    if (c != NULL) *c = '\0'; /* workaround from krb5-clients/1146 */
	    salt2.data = salt->data;
	    salt2.length = strlen (salt2.data);
	    /* cheat and do AFS string2key instead */
	    return mit_afs_string_to_key (keyblock, data, &salt2);

However, this code incorrectly computes the length of the salt2 if 
the '@' is missing from the original salt data. In fact there is no
guarantee that strlen is going to return anything but garbage. There
is the potential for a buffer overflow in this code. 

Unfortunately, due to the extremely brain-damaged solution of using a
length field as a data type flag, there is no quick and simple solution
to this problem. 

>How-To-Repeat:
	
	Use a password of longer than 8 chars with an AFS string_to_key
	algorithm.	


>Fix:
	
	Obviously, if there are other key salt type available this
problem goes away. Changing your password after conversion is one
work around. As far as fixing the actual code itself, this would require 
significant reworking of the libraries. At a minimum you should 
add some sanity checks before calling strlen, it also would be a 
good idea to check the result of strchr as well.

More information about the krb5-bugs mailing list