Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Kerberos Vendors:   MIT
Kerberos KDC Double Free in process_tgs_req() May Let Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1023904
SecurityTracker URL:
CVE Reference:   CVE-2010-1320   (Links to External Site)
Date:  Apr 20 2010
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5-1.7 and later
Description:   A vulnerability was reported in the Kerberos KDC. A remote authenticated user can cause denial of service conditions and may be able to execute arbitrary code on the target system.

A remote authenticated user can send specially crafted data to trigger a double free in process_tgs_req() and cause the KDC to crash or potentially execute arbitrary code.

Joel Johnson reported this vulnerability.

Impact:   A remote authenticated user can cause the target KDC to crash.

A remote authenticated user may be able to execute arbitrary code on the target system.

Solution:   The vendor has issued a patch, available at:

The fix will be included in the upcoming version krb5-1.8.2 and an upcoming krb5-1.7 series version.

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  MITKRB5-SA-2010-004 [CVE-2010-1320] double free in KDC

Hash: SHA1


MIT krb5 Security Advisory 2010-004
Original release: 2010-04-20

Topic: double free in KDC



CVSSv2 Base Score:      9

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed


A double free vulnerability exists in the KDC in MIT krb5 releases
krb5-1.7 and later.

This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.


An authenticated remote attacker can crash the KDC by inducing the KDC
to perform a double free.  Under some circumstances on some platforms,
this could also allow malicious code execution.  Successfully inducing
code execution by exploiting a double free is believed to be
difficult, and no such exploits are known to exist for this


* KDC in krb5-1.7 and later


* The upcoming krb5-1.8.2 release, as well as an upcoming krb5-1.7
  series release, will contain a fix.

* Apply the following patch:

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b2f0655..76ca94a 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -543,6 +543,7 @@ tgt_again:
            to the caller */
         ticket_reply = *(header_ticket);
         enc_tkt_reply = *(header_ticket->enc_part2);
+        enc_tkt_reply.authorization_data = NULL;
         clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
@@ -554,6 +555,7 @@ tgt_again:
            to the caller */
         ticket_reply = *(header_ticket);
         enc_tkt_reply = *(header_ticket->enc_part2);
+        enc_tkt_reply.authorization_data = NULL;
         old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;

  This patch is also available at

  A PGP-signed patch is available at


This announcement is posted at:

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:


CVE: CVE-2010-1320

Debian bug #577490


Joel Johnson reported this bug to Debian.  Brian Almeida provided a
report that this bug affects krb5-1.7 releases.


The MIT Kerberos Team security contact address is
<>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <>


When process_tgs_req() handles renewal or validation of existing
tickets, it copies header_ticket->enc_part2 (from the ticket that is
being validated or renewed) to enc_tkt_reply (the new ticket being
generated for the reply).  This causes
enc_tkt_reply.authorization_data to be an alias for memory that
belongs to the request.  As process_tgs_req() exits, it frees both
header_ticket and enc_tkt_reply, which causes the aliased memory to be
freed twice.

In the krb5-1.8 releases, unlike prior MIT krb5 releases, the TGS
request processing normally adds a "signedpath" authorization data
element, which causes merge_authdata() to run.  Inside
merge_authdata() is a call to realloc() that can potentially cause the
authorization data from header_ticket to be freed (if realloc() needs
to relocate the memory) an additional time before the cleanup code at
the end of process_tgs_req().  The krb5-1.7 releases can still
encounter this condition under less common circumstances, such as when
a client provides authorization data that it wants the KDC include in
the new ticket.


2010-04-20      original release

Copyright (C) 2010 Massachusetts Institute of Technology
Version: GnuPG v1.4.8 (SunOS)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC