-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-007

MIT krb5 Security Advisory 2011-007
Original release: 2011-12-06
Last update: 2011-12-06

Topic: KDC null pointer dereference in TGS handling

CVE-2011-1530
KDC null pointer dereference in TGS handling

CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score: 6.8

Access Vector: Network
Access Complexity: Low
Authentication: Single
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

CVSSv2 Temporal Score: 5.9

Exploitability: High
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY

In releases krb5-1.9 and later, the KDC can crash due to a null
pointer dereference in code that handles TGS (Ticket Granting Service)
requests. The trigger condition is trivial to produce using
unmodified client software, but requires the ability to authenticate
as a principal in the KDC's realm.

IMPACT

An authenticated remote attacker can crash a KDC via null pointer
dereference.

AFFECTED SOFTWARE

• The KDC in krb5-1.9 and later is vulnerable. Earlier releases
  predate the internal interface changes that led to this
  vulnerability.

FIXES

• Workaround: restart the KDC when it crashes, possibly using an
  automated monitoring process.

• Apply the patch:

diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index f46cad3…102fbaa 100644

• — a/src/kdc/Makefile.in
  +++ b/src/kdc/Makefile.in
  @@ -67,6 +67,7 @@ check-unix:: rtest

check-pytests::
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)

•   $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
  

install::
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54…840a2ef 100644

• — a/src/kdc/do_tgs_req.c
  +++ b/src/kdc/do_tgs_req.c
  @@ -243,7 +243,8 @@ tgt_again:
  if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
  errcode = find_alternate_tgs(request, &server);
  firstpass = 0;

• •                    goto tgt_again;
    

•                    if (errcode == 0)
  

•                        goto tgt_again;
                 }
             }
             status = "UNKNOWN_SERVER";
  

diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
new file mode 100644
index 0000000…1760bcd

• — /dev/null
  +++ b/src/kdc/t_emptytgt.py
  @@ -0,0 +1,8 @@
  +#!/usr/bin/python
  +from k5test import *

+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:

• fail('TGT lookup for empty realm failed in unexpected way')
  +success('Empty tgt lookup.')

This patch is also available at

http://web.mit.edu/kerberos/advisories/2011-007-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2011-007-patch.txt.asc

REFERENCES

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-1530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530

ACKNOWLEDGMENTS

Simo Sorce discovered this vulnerability.

CONTACT

The MIT Kerberos Team security contact address is
<[email protected]>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact <[email protected]>

DETAILS

The process_tgs_req() function in the KDC has logic that attempts to
find an alternative service principal if the service principal in the
client's TGS-REQ is unknown. If the find_alternate_tgs() helper
function returns an error that is not KRB5_KDB_NOENTRY, it leaves the
server variable holding a null pointer. The process_tgs_req()
function improperly ignores that error, and proceeds to call functions
that dereference the null pointer.

Prior to krb5-1.9, the krb5_db_get_principal() function and related
interfaces had output parameters "more" and "nprincs". The krb5-1.9
release includes changes to these interfaces so that they no longer
have those outputs. Prior to krb5-1.9, the find_alternate_tgs()
function in the KDC had a void return type, and indicated failure by
setting its "more" and "nprincs" outputs appropriately. Its interface
changed in krb5-1.9 to instead return an error code, with
corresponding changes to process_tgs_req(); these changes to
process_tgs_req() were flawed and allow errors other than
KRB5_KDB_NOENTRY to cause a null pointer dereference.

The vulnerable code executes after the KDC authenticates the request,
so an attacker must have first obtained valid initial Kerberos
credentials for the target realm.

REVISION HISTORY

2011-12-06 original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iQCVAgUBTt5mYabDgE/zdoE9AQIuKAQA0K1YUeTKjEIVjEIufpTanNoipQiWRNCE
alUjkcxQeD3yFK8LU6yKcs0CdTI60FDst3788tUtoGDdwpnbc90Rv8EID00VtgEc
0rI4Nfe32MxP/UlNNVRinWkwtDLWeh1gKQOPXAjeapKQcWAFB3tM/haRnDgCu49I
snM0jQSBFgA=
=FK9G
-----END PGP SIGNATURE-----