[krbdev.mit.edu #2546] AFS string_to_key broken for passwords > 8 chars
The RT System itself via RT
rt-comment at krbdev.mit.edu
Thu Apr 29 18:30:12 EDT 2004
>From krb5-bugs-incoming-bounces at mit.edu Thu Apr 29 18:29:58 2004
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id SAA05092; Thu, 29 Apr 2004 18:29:58 -0400 (EDT)
Received: from pch.mit.edu (localhost [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TMTvos013003
for <krb5-send-pr at krbdev.mit.edu>; Thu, 29 Apr 2004 18:29:57 -0400 (EDT)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i3TJXMos008869
for <krb5-bugs-incoming at PCH.mit.edu>;
Thu, 29 Apr 2004 15:33:22 -0400 (EDT)
Received: from mailgate01.slac.stanford.edu (mailgate01.slac.stanford.edu
[134.79.18.80])i3TJXKuh019411
for <krb5-bugs at mit.edu>; Thu, 29 Apr 2004 15:33:20 -0400 (EDT)
Received: from telemark.slac.stanford.edu (telemark.slac.stanford.edu
[134.79.24.241])i3TJXI5S013781
for <krb5-bugs at mit.edu>; Thu, 29 Apr 2004 12:33:18 -0700 (PDT)
(envelope-from bbense at slac.stanford.edu)
Date: Thu, 29 Apr 2004 12:33:18 -0700 (PDT)
From: Booker Bense <bbense at slac.stanford.edu>
To: krb5-bugs at mit.edu
Message-ID: <Pine.LNX.4.58.0404291228320.12489 at telemark.slac.stanford.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Mailman-Approved-At: Thu, 29 Apr 2004 17:36:14 -0400
Subject: Bug in AFS string_to_key
X-BeenThere: krb5-bugs-incoming at mit.edu
X-Mailman-Version: 2.1
Precedence: list
Sender: krb5-bugs-incoming-bounces at mit.edu
Errors-To: krb5-bugs-incoming-bounces at mit.edu
- My apologies if you've seen this already. I didn't see it in
the krb5-bugs archive and I sent it via krb5-send-pr two days
ago.
>Submitter-Id: net
>Originator: Booker Bense
>Organization: Stanford Linear Accellerator
>Confidential: no
>Synopsis: AFS string_to_key broken for passwords > 8 chars
>Severity: serious
>Priority: medium
>Category: krb5 libraries
>Class: sw-bug
>Release: krb5-1.3.3
>Environment: Mac OSX,
System: Linux telemark 2.4.21-9.0.1.EL #1 Mon Feb 9 22:44:14 EST 2004 i686 i686 i386 GNU/Linux
Architecture: i686
>Description:
The function mit_des_string_to_key_int contains this work around
for use with converted AFS keys in a Heimdal KDC.
if (salt->length == SALT_TYPE_AFS_LENGTH || salt->length == (unsigned) -1) {
krb5_data salt2;
char *c;
c = strchr(salt->data, '@');
if (c != NULL) *c = '\0'; /* workaround from krb5-clients/1146 */
salt2.data = salt->data;
salt2.length = strlen (salt2.data);
/* cheat and do AFS string2key instead */
return mit_afs_string_to_key (keyblock, data, &salt2);
However, this code incorrectly computes the length of the salt2 if
the '@' is missing from the original salt data. In fact there is no
guarantee that strlen is going to return anything but garbage. There
is the potential for a buffer overflow in this code, or at least
random memory corruption.
Unfortunately, due to the extremely brain-damaged solution of using a
length field as a data type flag, there is no quick and simple solution
to this problem.
>How-To-Repeat:
Use a password of longer than 8 chars with an AFS string_to_key
algorithm.
>Fix:
Obviously, if there are other key salt type available this
problem goes away. Changing your password after conversion is one
work around. As far as fixing the actual code itself, this would require
significant reworking of the libraries. At a minimum you should
and some sanity checks before calling strlen, it also would be a
good idea to check the result of strchr as well.
More information about the krb5-bugs
mailing list