SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos Uninitialized Pointer Error in merge_authdata() Lets Remote Authenticated Users Deny Service
SecurityTracker Alert ID:  1024512
SecurityTracker URL:  http://securitytracker.com/id/1024512
CVE Reference:   CVE-2010-1322   (Links to External Site)
Date:  Oct 6 2010
Impact:   Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Version(s): krb5-1.8 through krb5-1.8.3
Description:   A vulnerability was reported in Kerberos. A remote authenticated user can cause denial of service conditions. A remote authenticated user may be able to obtain information, modify tickets, or execute arbitrary code.

A remote authenticated user can send specially crafted Kerberos TGS request messages to trigger an uninitialized pointer error and cause the target service to crash. The user may be able to obtain information, modify tickets, or execute arbitrary code.

Legitimate requests produced by Windows Active Directory clients my trigger these denial of service conditions.

Mike Roszkowski reported this vulnerability.

The vulnerability resides in the merge_authdata() function in 'kdc_authdata.c'.

Impact:   A remote authenticated user can cause denial of service conditions.

A remote authenticated user may be able to obtain information, modify tickets, or execute arbitrary code.

Solution:   The vendor has issued a patch, available at:

http://web.mit.edu/kerberos/advisories/2010-006-patch.txt

The patch will be included in the upcoming 5-1.8.4 version.

The vendor's advisory is available at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt

Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 10 2010 (Red Hat Issues Fix) Kerberos Uninitialized Pointer Error in merge_authdata() Lets Remote Authenticated Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 6.



 Source Message Contents

Subject:  MITKRB5-SA-2010-006 [CVE-2010-1322] KDC uninitialized pointer crash in authorization data handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2010-006

MIT krb5 Security Advisory 2010-006
Original release: 2010-10-05

Topic: KDC uninitialized pointer crash in authorization data handling

CVE-2010-1322

CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      8

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: Partial
Integrity Impact:       Partial
Availability Impact:    Complete

CVSSv2 Temporal Score:  7

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

When the MIT krb5 KDC receives certain Kerberos TGS request messages,
it may dereference an uninitialized pointer while processing
authorization data, causing a crash, or in rare cases, unauthorized
information disclosure, ticket modification, or execution of arbitrary
code.  The crash may be triggered by legitimate requests.

This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.

IMPACT
======

An authenticated remote attacker can cause the MIT krb5 KDC process to
crash, resulting in a denial of service.  In rare cases, the attacker
can theoretically induce unauthorized information disclosure, ticket
modification, or the execution of arbitrary code.

The denial of service may be triggered by legitimate requests produced
by Windows Active Directory clients.  No exploit code is known to
exist that would cause information disclosure, ticket modification, or
arbitrary code execution.

AFFECTED SOFTWARE
=================

* KDC in MIT krb5-1.8 through krb5-1.8.3

* Earlier releases of MIT krb5 did not contain the vulnerable code.

FIXES
=====

* The upcoming krb5-1.8.4 release will contain a fix for this
  vulnerability.

* Apply the following patch.  The patch was generated against
  krb5-1.8.3.

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index b5de64d..cc44e29 100644
- --- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -495,7 +495,7 @@ merge_authdata (krb5_context context,
                 krb5_boolean copy,
                 krb5_boolean ignore_kdc_issued)
 {
- -    size_t i, nadata = 0;
+    size_t i, j, nadata = 0;
     krb5_authdata **authdata = *out_authdata;
 
     if (in_authdata == NULL || in_authdata[0] == NULL)
@@ -529,16 +529,16 @@ merge_authdata (krb5_context context,
         in_authdata = tmp;
     }
 
- -    for (i = 0; in_authdata[i] != NULL; i++) {
+    for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
         if (ignore_kdc_issued &&
             is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
             free(in_authdata[i]->contents);
             free(in_authdata[i]);
         } else
- -            authdata[nadata + i] = in_authdata[i];
+            authdata[nadata + j++] = in_authdata[i];
     }
 
- -    authdata[nadata + i] = NULL;
+    authdata[nadata + j] = NULL;
 
     free(in_authdata);
 

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2010-006-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2010-006-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2010-1322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1322

ACKNOWLEDGMENTS
===============

Thanks to Mike Roszkowski for reporting this vulnerability, providing
a patch, and helping with analysis.  Thanks to Pavel Jindra and
Radoslav Bodo for additional testing.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

In the function merge_authdata() in kdc_authdata.c, a loop that
attempts to exclude KDC-issued authorization data items when merging
two authorization data lists will advance the destination index
inappropriately when filtering out such an item.  As a result, that
entry in the destination list will be an uninitialized pointer.

Subsequent operations on the resulting authorization data list can
dereference that uninitialized pointer, typically causing a crash.  It
is theoretically possible that an attacker could manipulate the
contents of the heap so that the uninitialized pointer points to a
valid address, allowing unauthorized information disclosure,
manipulation of the authorization data in the resulting ticket, or a
subsequent free of that pointer.  It is theoretically possible that an
attacker inducing the freeing of a chosen pointer could corrupt the
heap and execute arbitrary code.

Windows Active Directory clients can produce TGS requests that trigger
this vulnerability fairly consistently.

REVISION HISTORY
================

2010-10-05      original release

Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAkyrdcEACgkQSO8fWy4vZo5QVQCfbvzBA0Mx+CLktnrWgyphhQaZ
9TkAoJHEC0Nm1kt3MDP4MeFf7kjgM/OS
=aEOG
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC