[krbdev.mit.edu #7570] PKINIT null pointer deref [CVE-2013-1415]

[Benjamin Kaduk via RT]

The detailed analysis:

The process_as_req() function in the KDC has support for pluggable
modules that implement various types of preauthentication.  The PKINIT
preauthentication module (using public key cryptography for initial
authentication) is part of the MIT krb5 source distribution, and is
compiled by default when a usable cryptography backend is present.
Before the PKINIT module will be used in AS_REQ processing, it must
be configured in the KDC configuration profile (e.g., kdc.conf).
When processing an AS_REQ of type KRB5_PADATA_PK_AS_REQ, the KDC
performs initial validation of the request, checking the Diffie-Hellman
parameters and verifying the authenticator checksum before proceeding
to check that a KDC public key ID is present and matches the KDC
configuration.  During the process of checking for a KDC public key ID,
the KDC must extract an issuer and serial number from the client-supplied
X.509 certificate.  If this extraction fails, a null pointer is returned
which the server detects as an error, and the server proceeds to its
cleanup code, which deallocates memory that was allocated to process the
request.  This cleanup code unconditionally dereferences the pointer
holding the issuer and serial number information, which is a null pointer
in this error case.  This potential for null pointer dereference has
been present since the introduction of the PKINIT code, in krb5-1.6.3.

The vulnerable code executes after substantial validation and processing
of the request, so an attacker must be able to successfully perform
PKINIT preauthentication or observe or modify a valid preauthentication
attempt.