MITKRB5-SA-2005-002: buffer overflow, heap corruption in KDC

From: Tom Yu (tlyu_at_MIT.EDU)
Date: 07/12/05

  • Next message: unsecure_at_writeme.com: "SoftiaCom MailServer v2.0 - Denial Of Service"
    To: bugtraq@securityfocus.com
    Date: Tue, 12 Jul 2005 14:03:21 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----

                     MIT krb5 Security Advisory 2005-002

    Original release: 2005-07-12

    Topic: buffer overflow, heap corruption in KDC

    Severity: CRITICAL

    SUMMARY
    =======

    The MIT krb5 Key Distribution Center (KDC) implementation can corrupt
    the heap by attempting to free memory at a random address when it
    receives a certain unlikely (but valid) request via a TCP connection.
    This attempt to free unallocated memory can result in a KDC crash and
    consequent denial of service. [CAN-2005-1174, VU#259798]

    Additionally, the same request, when received by the KDC via either
    TCP or UDP, can trigger a bug in the krb5 library which results in a
    single-byte overflow of a heap buffer. Application servers are
    vulnerable to a highly improbable attack, provided that the attacker
    controls a realm sharing a cross-realm key with the target
    realm. [CAN-2005-1175, VU#885830]

    An unauthenticated attacker may be able to use these vulnerabilities
    to execute arbitrary code on the KDC host, potentially compromising an
    entire Kerberos realm. No exploit code is known to exist at this
    time. Exploitation of these vulnerabilities is believed to be
    difficult.

    IMPACT
    ======

    An unauthenticated attacker may be able to execute arbitrary code on
    the KDC host, potentially compromising an entire Kerberos realm. An
    unsuccessful attack against the heap corruption vulnerability may
    result in a denial of service by crashing the KDC process.

    AFFECTED SOFTWARE
    =================

    * [CAN-2005-1174] affects the KDC implementation in all MIT krb5
      releases supporting TCP client connections to the KDC. This
      includes krb5-1.3 and later releases, up to and including
      krb5-1.4.1.

    * [CAN-2005-1175] affects KDC implementations and application servers
      in all MIT krb5 releases, up to and including krb5-1.4.1.
      Third-party application servers which use MIT krb5 are also
      affected.

    FIXES
    =====

    * The upcoming krb5-1.4.2 release will have fixes for these
      vulnerabilities.

    * WORKAROUNDS: Disabling TCP support in the KDC avoids one
      vulnerability [CAN-2005-1174]. The single-byte overflow
      [CAN-2005-1175] is still possible even without KDC TCP support
      enabled. Running the KDC from init or from some similar automatic
      respawning facility may reduce the durations of denials of service,
      but this approach may make it difficult to detect deliberate attacks
      targeted at code execution.

    * Apply the patch at:

      http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt

      The associated detached PGP signature is at:

      http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt.asc

      The patch was generated against the krb5-1.4.1 release. It may
      apply, with some offset, to earlier releases. On releases prior to
      krb5-1.3, only the patch to lib/krb5/krb/unparse.c should be
      necessary.

    REFERENCES
    ==========

    This announcement and related security advisories may be found on the
    MIT Kerberos security advisory page at:

            http://web.mit.edu/kerberos/advisories/index.html

    The main MIT Kerberos web page is at:

            http://web.mit.edu/kerberos/index.html

    CVE: CAN-2005-1174
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174

    CERT: VU#259798
    http://www.kb.cert.org/vuls/id/259798

    CVE: CAN-2005-1175
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175

    CERT: VU#885830
    http://www.kb.cert.org/vuls/id/885830

    ACKNOWLEDGMENTS
    ===============

    Thanks to Daniel Wachdorf for reporting these vulnerabilities.

    DETAILS
    =======

    Kerberos 5 principal names may have an arbitrary number of components.
    The krb5_unparse_name() function in the MIT krb5 library converts an
    internal representation of a Kerberos principal name into a
    human-readable string. The internal representation might have
    originated from the decoding of a Kerberos protocol message.

    The single-byte overflow occurs whenever the krb5_unparse_name()
    function is called on a principal name having zero components. The
    function writes a null byte to an address one beyond the end of a
    buffer allocated my malloc(). The corresponding krb5_parse_name()
    function never generates an internal representation having zero
    components; instead, it generates at least one zero-length component.
    The current string representation form of Kerberos principal names has
    some ambiguity between a zero-component principal name and a
    one-component principal name having a zero-length single component.

    Application servers which call krb5_unparse_name(), directly or
    indirectly, are vulnerable to the single-byte overflow in
    krb5_unparse_name(), provided that the attacker controls a realm which
    shares a cross-realm key with the target realm. This enables the
    attacker to use a cross-realm ticket for a zero-component client
    principal name, which the application server will then pass to
    krb5_unparse_name(), triggering the single-byte overflow.

    For this attack to succeed, the attacker needs access to a KDC in the
    target realm which will create a ticket for a zero-component client
    principal name. Since the current MIT krb5 KDC implementation will
    refuse to create such a ticket, the attack is unlikely to succeed
    unless the implementation has been altered to allow the issuance of
    tickets for zero-component client principal names.

    When the KDC fails to find the principal with a zero-component name in
    its database (such a principal is very unlikely to exist in most
    databases, as there are extremely few uses for such a principal), it
    attempts to encode an error packet containing the offending principal
    name, using prepare_error_as() or prepare_error_tgs(). This encoding
    attempt fails inside encode_krb5_error(), since the ASN.1 encoder
    function asn1_encode_principal_name() interprets the internal
    representation of a zero-component principal name as an error
    condition.

    encode_krb5_error() does not allocate an output buffer when it
    encounters an error condition. While the UDP request handling code in
    kdc/network.c:process_packet() does not attempt to free the output
    buffer containing the encoded message when it encounters an error, the
    TCP request handling code in process does free the buffer inside
    kill_tcp_connection(), which attempts to free unallocated memory
    pointed to by an uninitialized pointer.

    REVISION HISTORY
    ================

    2005-05-12 original release

    Copyright (C) 2005 Massachusetts Institute of Technology
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (SunOS)

    iQCVAwUBQtMbCabDgE/zdoE9AQFo9QP5AZMbr0YGmyzYbARTqFq+Lt+FYbfQ7XC/
    c1hqTfsTkN0Mfh1I5d6dTjhXQT6kfN+EdNYfPhY+4LANB5CW9xe9BARPcW9i2ftt
    xSTIODrD6LdNtOCCut1ha3T5tcV5GodvXzj7dSClde29j0IJR6dBcigfvR4mAygw
    /U7r46obgM0=
    =SnqK
    -----END PGP SIGNATURE-----


  • Next message: unsecure_at_writeme.com: "SoftiaCom MailServer v2.0 - Denial Of Service"

    Relevant Pages