[UNIX] MIT Kerberos ASN.1 Decoder DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 09/02/04
- Previous message: SecuriTeam: "[UNIX] OpenBSD Kernel Panic While Processing IPSec Link2 Option"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 Sep 2004 14:20:31 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MIT Kerberos ASN.1 Decoder DoS
------------------------------------------------------------------------
SUMMARY
The ASN.1 decoder library in the MIT Kerberos 5 distribution is vulnerable
to a denial-of-service attack causing an infinite loop in the decoder. The
KDC is vulnerable to this attack.
DETAILS
Affected Software:
* KDC software and applications from MIT Kerberos 5 releases krb5-1.2.2
through krb5-1.3.4.
* Applications using the MIT krb5 libraries from the above releases.
Details:
The ASN.1 decoder in the MIT krb5 library handles indefinite-length BER
encodings for the purpose of backwards compatibility with some
non-conformant implementations. The ASN.1 decoders call asn1buf_sync() to
skip any trailing unrecognized fields in the encoding of a SEQUENCE type.
asn1buf_sync() calls asn1buf_skiptail() if the ASN.1 SEQUENCE type being
decoded was encoded with an indefinite length. asn1buf_sync() is provided
with a prefetched BER tag; a placeholder tag is provided by the
prefetching code in the case where there is are no more octets in a
sub-encoding.
The loop in asn1buf_skiptail() which attempts to skip trailing
sub-encodings of an indefinite-length SEQUENCE type does not properly
check for end-of-subbuffer conditions or for the placeholder tag, leading
to an infinite loop. Valid BER encodings cannot cause this condition;
however, it is trivial to construct a corrupt encoding which will trigger
the infinite loop.
Impact:
* An unauthenticated remote attacker can cause a KDC or application
server to hang inside an infinite loop. [CAN-2004-0644]
* An attacker impersonating a legitimate KDC or application server may
cause a client program to hang inside an infinite loop. [CAN-2004-0644]
Fixes:
* The upcoming krb5-1.3.5 release will contain fixes for these problems.
* Apply the appropriate patch referenced below, and rebuild the software.
Patches available:
* Patch against krb5-1.3.4 (should apply to earlier krb5-1.3.x releases)
* Patch against krb5-1.2.8 (should apply to releases krb5-1.2.2 through
krb5-1.2.7 as well)
Patch Against krb5-1.3.4:
* This patch was generated against krb5-1.3.4; it may apply, with some
offset, to earlier krb5-1.3.x releases.
This patch may also be found at:
<http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt>
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt
The associated detached PGP signature is at:
<http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt.asc>
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.3.4.txt.asc
Index: src/lib/krb5/asn.1/asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.24
*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24
--- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:43:47 -0000
***************
*** 122,127 ****
--- 122,129 ----
return ASN1_OVERRUN;
}
while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
retval = asn1_get_tag_2(buf, &t);
if (retval) return retval;
if (!t.indef) {
Patch Against krb5-1.2.8:
* This patch was generated against krb5-1.2.8; it may apply, with some
offset, to releases krb5-1.2.2 through krb5-1.2.7. You are strongly
encouraged to update to a release from the krb5-1.3.x series.
This patch may also be found at:
<http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt>
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt
The associated detached PGP signature is at:
<http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt.asc>
http://web.mit.edu/kerberos/advisories/2004-003-patch_1.2.8.txt.asc
Index: src/lib/krb5/asn.1/asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.19.2.1
diff -c -r5.19.2.1 asn1buf.c
*** src/lib/krb5/asn.1/asn1buf.c 31 Jan 2001 18:00:12 -0000 5.19.2.1
--- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:54:50 -0000
***************
*** 140,145 ****
--- 140,147 ----
return ASN1_OVERRUN;
}
while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
retval = asn1_get_tag_indef(buf, &class, &construction, &tagnum,
&taglen, &tagindef);
if (retval) return retval;
ADDITIONAL INFORMATION
The information has been provided by Will Fiveash and Nico Williams.
The original article can be found at:
<http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt>
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] OpenBSD Kernel Panic While Processing IPSec Link2 Option"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Internet Explorer Compressed Content URL Heap Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... There is an heap overflow vulnerability
discovered in Internet Explorer ... Internet Explorer 6 SP1 with the MS06-042 patch applied
are vulnerable. ... (Securiteam) - [NEWS] Quartz Composer / QuickTime 7 Information Leakage
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Quartz Composer files are
created with the Quartz Composer application ... A patch providing the information is ...
The output of is connected to the URL input connection of either ... (Securiteam) - [NT] TrendMicro AntiVirus UUE Processing Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... TrendMicro AntiVirus UUE Processing
Vulnerability ... TrendMicro has made a patch for the vulnerability, ... (Securiteam) - [EXPL] Mailenable Enterprise Examine IMAP Command Buffer Overflow (2 Exploits)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Mailenable Enterprise Examine
IMAP Command Buffer Overflow ... Vendor Notified, patch released. ... # *
No space for shellcode, so 1st stage shellcode is used to ... (Securiteam) - [UNIX] libgd DoS (Infinite Loop in GIF Decoding)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... PNG, JPEG and GIF images,
among other formats. ... There is an infinite loop in libgd that may cause denial of service
whie ... (Securiteam)
