AusCERT - ESB-2012.0723 - ALERT [Win][UNIX/Linux] krb5: Multiple vulnerabilities

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2012.0723 - ALERT [Win][UNIX/Linux] krb5: Multiple vulnerabilities
Date: 01 August 2012
References: ESB-2012.0721 ESB-2012.0724

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0723
               DC heap corruption and crash vulnerabilities
                               1 August 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          krb5
Publisher:        Massachusetts Institute of Technology
Operating System: UNIX variants (UNIX, Linux, OSX)
                  Windows
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                  Denial of Service               -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2012-1015 CVE-2012-1014 

Reference:        ESB-2012.0721

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2012-001

MIT krb5 Security Advisory 2012-001
Original release: 2012-07-31

Topic: KDC heap corruption and crash vulnerabilities

CVE-2012-1015: KDC frees uninitialized pointer

CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      9.3

Access Vector:          Network
Access Complexity:      Medium
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.3

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

CVE-2012-1014: KDC dereferences uninitialized pointer

CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      9
CVSSv2 Temporal Score:  7

SUMMARY
=======

CVE-2012-1015: The MIT krb5 KDC (Key Distribution Center) daemon can
free an uninitialized pointer while processing an unusual AS-REQ,
corrupting the process heap and possibly causing the daemon to
abnormally terminate.  An attacker could use this vulnerability to
execute malicious code, but exploiting frees of uninitialized pointers
to execute code is believed to be difficult.  It is possible that a
legitimate client that is misconfigured in an unusual way could
trigger this vulnerability.

CVE-2012-1014: The MIT krb5 KDC daemon can dereference an
uninitialized pointer while processing a malformed AS-REQ, causing the
daemon to abnormally terminate.  This vulnerability could
theoretically lead to the execution of malicious code, but that is
believed to be very difficult.

No known exploit exists that is capable of executing malicious code
for either vulnerability, but it is also not difficult to trigger a
denial of service with either vulnerability.

IMPACT
======

CVE-2012-1015: By sending a specially crafted AS-REQ, an
unauthenticated remote attacker can cause the KDC to abnormally
terminate or to execute malicious code.

CVE-2012-1014: By sending a malformed AS-REQ, an unauthenticated
remote attacker can cause the KDC to abnormally terminate.  It is
theoretically possible, but unlikely, for this vulnerability to lead
to the execution of malicious code.

AFFECTED SOFTWARE
=================

* The KDC in releases krb5-1.8 and later is vulnerable to
  CVE-2012-1015.

* The KDC in releases krb5-1.10 and later is vulnerable to
  CVE-2012-1014.

* Some platforms detect attempts to free invalid pointers and
  protectively terminate the process, preventing arbitrary code
  execution on those platforms.

FIXES
=====

* The upcoming krb5-1.10.3 release will contain a fix for
  CVE-2012-1014 and CVE-2012-1015.

* The upcoming krb5-1.9.5 release will contain a fix for
  CVE-2012-1015.

* Apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 23623fe..8ada9d0 100644
- - --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     krb5_enctype useenctype;
     struct as_req_state *state;
 
- - -    state = malloc(sizeof(*state));
+    state = calloc(sizeof(*state), 1);
     if (!state) {
         (*respond)(arg, ENOMEM, NULL);
         return;
@@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     state->authtime = 0;
     state->c_flags = 0;
     state->req_pkt = req_pkt;
+    state->inner_body = NULL;
     state->rstate = NULL;
     state->sname = 0;
     state->cname = 0;
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 9d8cb34..d4ece3f 100644
- - --- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request,
                 continue;
 
             }
- - -            if (request_contains_enctype(context, request, db_etype)) {
+            if (krb5_is_permitted_enctype(context, db_etype) &&
+                request_contains_enctype(context, request, db_etype)) {
                 retval = _make_etype_info_entry(context, client->princ,
                                                 client_key, db_etype,
                                                 &entry[i], etype_info2);
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index a43b291..94dad3a 100644
- - --- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
         return 0;
     pa.magic = KV5M_PA_DATA;
     pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
+    memset(&checksum, 0, sizeof(checksum));
     retval = krb5_c_make_checksum(kdc_context,0, reply_key,
                                   KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
     if (retval != 0)
diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c
index c4bf92e..367c894 100644
- - --- a/src/lib/kdb/kdb_default.c
+++ b/src/lib/kdb/kdb_default.c
@@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
     krb5_boolean        saw_non_permitted = FALSE;
 
     ret = 0;
+    if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype))
+        return KRB5_KDB_NO_PERMITTED_KEY;
+
     if (kvno == -1 && stype == -1 && ktype == -1)
         kvno = 0;
 


  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2012-001-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2012-001-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2012-1014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1014

CVE: CVE-2012-1015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015

ACKNOWLEDGMENTS
===============

We thank Emmanuel Bouillon (NCI Agency) for discovering and reporting
these vulnerabilities.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/07566CE5 2012-01-27 [expires: 2013-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

CVE-2012-1015: KDC frees uninitialized pointer

The KDC function kdc_handle_protected_negotiation(), which handles the
protected negotiation feature of the FAST Kerberos protocol extension,
can attempt to create a checksum using a key type that is invalid for
producing checksums.  This causes its call to krb5_c_make_checksum()
to fail, which leads to the cleanup code in
kdc_handle_protected_negotiation() freeing an uninitialized pointer.

It is possible, but unlikely, for a legitimate client to be
misconfigured in a way that causes the KDC to attempt to use such an
invalid key type in this code.

CVE-2012-1014: KDC dereferences uninitialized pointer

CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      9

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: Partial
Integrity Impact:       Partial
Availability Impact:    Complete

CVSSv2 Temporal Score:  7

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

The KDC function process_as_req(), which handles incoming AS-REQ
messages, allocates a state object using malloc() and initializes many
fields within it.  It fails to initialize state->inner_body, which is
a pointer to a krb5_data object.  If the uninitialized value
state->inner_body is not null, a failure in process_as_req() that
precedes the call to kdc_find_fast() could cause error handling code
in finish_process_as_req() to pass the uninitialized state->inner_body
pointer to krb5_free_data(), which would proceed to dereference the
uninitialized pointer.  The typical outcome is KDC process termination
due to a segmentation fault or similar memory fault.

It is theoretically possible for an attacker to manipulate the
contents of the heap so that the uninitialized pointer
state->inner_body would point to valid memory where
state->inner_body->data contains an attacker-chosen invalid pointer
value.  The krb5_free_data() function would then pass this invalid
pointer to free().  This could allow the attacker to overwrite memory
or execute malicious code on some platforms, depending on the details
of the malloc() implementation.  This indirect attack method seems
much less likely to succeed than one where the attacker could directly
control the invalid pointer value that the program passes to free().

REVISION HISTORY
================

2012-07-31      original release

Copyright (C) 2012 Massachusetts Institute of Technology
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAlAYHFcACgkQSO8fWy4vZo6GswCgi1sNmgLekPTxnHgOaiEmKeVF
1TMAn2EoBKvxZBWhNTISWjM1jcV7sHrU
=8oTe
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUBjGae4yVqjM2NGpAQKHvA//al3YBZF00gFHG8IwCgjzbOwUrOSI0xeI
OgpZrmyIaSkUVXm9vJElhzrRE3qloEryRkUb4TnTQGxtTT70IB0jEHEJ5YJeec2F
9vEobu8mAcIz1S3d1UJlnSS04HDQNx9JMvLFL7o4aOnZhgQP3AMDI10baAX14hVs
A60pr2fXde5iIl9hL0gff3zHyrjnfjVPy632RBL8ZsA07TWkjEMsFwQFq1A0DUrf
3i5QFVtMFPXobw8GrlQ2f8N8miUeA1G66A0AAuKt+fyndGxjvAgYLki59gfct+Uv
iqRz6KqXATHFPnOh2fpfzpYZntBacrFjUZqoBnYOJdezm+7O+ssbeJiN/RW9L3LD
hPzPTqniNwGB91k5XJVSIjkBwdqbYw2NTKuAYP7IrMKqujbqcMzo9OvieJz8kdfN
ldlLH72NzRciywPVFaABbaX/S8POaPSizexyDU19cZTl05SO7nP+LDSbWyloW8iu
P2lRUv9QcTe/m2BtMyKpyLCwtLdP/K7bthexfmDgXfRlpN12WNkHh15VH0Yk/k3P
e1ovJFZ4pSiJp7MtrxcuWS2rUTQH73t1+yqhPa4FwmgOcuhNbHFcnIiQyo+RfjzZ
D2Vww/Iha/S+qkQmov7doaKz4F5EsZqzku6YCt2x2OLk8IBHvJvDw1nSh9DBP7PX
927vQR3Kvzk=
=u+Zq
-----END PGP SIGNATURE-----