[krbdev.mit.edu #7622] git commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Tue Apr 23 23:08:37 EDT 2013
KDC TGS-REQ null deref [CVE-2013-1416]
By sending an unusual but valid TGS-REQ, an authenticated remote
attacker can cause the KDC process to crash by dereferencing a null
pointer.
prep_reprocess_req() can cause a null pointer dereference when
processing a service principal name. Code in this function can
inappropriately pass a null pointer to strlcpy(). Unmodified client
software can trivially trigger this vulnerability, but the attacker
must have already authenticated and received a valid Kerberos ticket.
The vulnerable code was introduced by the implementation of new
service principal realm referral functionality in krb5-1.7, but was
corrected as a side effect of the KDC refactoring in krb5-1.11.
CVSSv2 vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C
(cherry picked from commit 8ee70ec63931d1e38567905387ab9b1d45734d81)
https://github.com/krb5/krb5/commit/9fd9edbf12c4203cb2690c51c7ddea006e3215a5
Author: Tom Yu <tlyu at mit.edu>
Commit: 9fd9edbf12c4203cb2690c51c7ddea006e3215a5
Branch: krb5-1.9
src/kdc/do_tgs_req.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
More information about the krb5-bugs
mailing list