MITKRB5-SA-2003-05: Buffer overrun and underrun in principal name handling

Iljun Kim ij at internet2.edu
Fri Mar 21 05:04:48 EST 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This patch was applied to both servers also.

Thanks.
- --IJ.

On Wed, Mar 19, 2003 at 08:04:32PM -0500, Ken Raeburn wrote:
> 
>                  MIT krb5 Security Advisory 2003-005
> 
> 2003-03-19
> 
> Topic: Buffer overrun and underrun in principal name handling
> 
> Severity: SERIOUS
> 
> SUMMARY
> =======
> 
> Buffer overrun and underrun problems exist in Kerberos principal name
> handling in unusual cases, such as names with zero components, names
> with one empty component, or host-based service principal names with
> no host name component.
> 
> IMPACT
> ======
> 
>  * Corruption of malloc pool, probably leading to program crash.
> 
>    + The KDC may be vulnerable.
> 
>    + Depending on the malloc implementation and platform, it may be
>      possible to build more serious exploits on this.
> 
>  * Reference to data just past the end of an array in the KDC, for
>    comparison against certain fixed data.  May result in crashing the
>    KDC.
> 
> AFFECTED SOFTWARE
> =================
> 
> MIT Kerberos 5, all released versions though 1.2.7 and 1.3-alpha1.
> 
> FIX
> ===
> 
> The following patches should fix the most urgent aspects of the
> problems in the 1.2.7 release.  If these patches do not apply cleanly
> to 1.2.6 and earlier versions, the corresponding changes should be
> fairly straightforward.  The patch to krb5.hin should change any
> missed overrun cases in this area into null pointer dereferences,
> which will be more likely to crash the program instead of referencing
> arbitrary data.
> 
> Index: include/krb5.hin
> ===================================================================
> RCS file: /cvs/krbdev/krb5/src/include/krb5.hin,v
> retrieving revision 1.94.2.5.2.17
> diff -p -u -r1.94.2.5.2.17 krb5.hin
> +++ include/krb5.hin	2003/03/19 00:38:54
> @@ -326,7 +326,7 @@ typedef krb5_const krb5_principal_data F
>  #define	krb5_princ_size(context, princ) (princ)->length
>  #define	krb5_princ_type(context, princ) (princ)->type
>  #define	krb5_princ_name(context, princ) (princ)->data
> -#define	krb5_princ_component(context, princ,i) ((princ)->data + i)
> +#define	krb5_princ_component(context, princ,i) (i < krb5_princ_size(context, princ) ? ((princ)->data + i) : NULL)
>  
>  /*
>   * end "base-defs.h"
> Index: kdc/kdc_util.c
> ===================================================================
> RCS file: /cvs/krbdev/krb5/src/kdc/kdc_util.c,v
> retrieving revision 5.96.2.2.2.3
> diff -p -u -r5.96.2.2.2.3 kdc_util.c
> +++ kdc/kdc_util.c	2003/03/19 00:39:00
> @@ -157,7 +157,8 @@ realm_compare(princ1, princ2)
>  krb5_boolean krb5_is_tgs_principal(principal)
>  	krb5_principal	principal;
>  {
> -	if ((krb5_princ_component(kdc_context, principal, 0)->length ==
> +	if (krb5_princ_size(kdc_context, principal) > 0 &&
> +	    (krb5_princ_component(kdc_context, principal, 0)->length ==
>  	     KRB5_TGS_NAME_SIZE) &&
>  	    (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
>  		     KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE)))
> Index: lib/krb5/krb/unparse.c
> ===================================================================
> RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/unparse.c,v
> retrieving revision 5.27.4.1
> diff -p -u -r5.27.4.1 unparse.c
> +++ lib/krb5/krb/unparse.c	2003/03/19 00:39:02
> @@ -153,7 +153,8 @@ krb5_unparse_name_ext(context, principal
>  		*q++ = COMPONENT_SEP;
>  	}
>  
> -	q--;			/* Back up last component separator */
> +	if (i > 0)
> +	    q--;		/* Back up last component separator */
>  	*q++ = REALM_SEP;
>  	
>  	cp = krb5_princ_realm(context, principal)->data;
> 
> 
> The problem exists in other parts of the code as well, but should only
> result in crashing application servers when the realm has been
> misconfigured to use broken service names, or crashing application
> clients when they are supplied broken principal names.
> 
> ACKNOWLEDGMENTS
> ===============
> 
> Thanks to Nalin Dahyabhai of Red Hat for bringing the problems to our
> attention.
> 
> CONTACT
> =======
> 
> For more information, contact Ken Raeburn <raeburn at mit.edu>, Sam
> Hartman <hartmans at mit.edu>, or Marshall Vale <mjv at mit.edu>.
> 
> This announcement and related security advisories may be found on the
> MIT Kerberos security advisory page at:
> 
> 	http://web.mit.edu/kerberos/www/advisories/index.html
> 
> The main MIT Kerberos web page is at:
> 
> 	http://web.mit.edu/kerberos/www/index.html



> _______________________________________________
> kerberos-announce mailing list
> kerberos-announce at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos-announce

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+euPAtxwa8/Dz01YRAqogAKCU4pf8wGb49hGVeIyrWcmyO8ktewCfZ1rM
uatg7lEZR4EX87c9W18rJqc=
=elfS
-----END PGP SIGNATURE-----

More information about the krbdev mailing list